Bored bloke takes control of British Army 'psyops' unit's Twitter
Great recruiting tool there, folks
A crafty joker seized control of the British Army's "influence and outreach" Twitter account – and labelled the military unit "fun sponges" when they tried to get it back.
77 Brigade is the Army's social media influence unit. Rather than posting branded Instagram selfies and the like, they carry out information operations and similar things. It is staffed by a mix of full-time soldiers and part-time reservists.
As the unit's official page puts it in impenetrable military management-speak, its job is to "challenge the difficulties of modern warfare using non-lethal engagement and legitimate non-military levers as a means to adapt behaviours of the opposing forces and adversaries".
This very serious psyops-a-like unit failed to see the funny side when someone who only identified himself to El Reg as "boredbloke" found a way of taking over the brigade's Twitter account.
Boredbloke told El Reg: "The facts are, we have a unit that works in information and communication that uses social media to aid their recruiting process. The myth is we have an elite unit of hackers, propagandists and ne'er-do-wells who crawl social media to plant stories, influence opinion and generally manipulate things on behalf of government. So a juicy target if they were hacked themselves!"
He continued: "I spotted a gaping hole. Had a 'bad person' spotted the same hole, it would have led to chaos and at the least embarrassment; at the worst, something much more sinister or damaging."
Thus did the @77th_Brigade Twitter account find its way into the hands of someone who was very much not part of 77 Brigade. Boredbloke told us this was because actually reporting the vuln he had spotted was rather hard.
"I tried to tell them. Have you ever tried to contact the Army, Navy or RAF? Emails go unanswered and phoning them, whilst easy, is a nightmare of finding the right person, especially when trying to remain anonymous," he told us. "'Bug bounty', you say? Do not have one for this type of attack. Whistle-blowing was an option, but you need to tell them who you are and that has really bad karma. There are numerous examples of grey-hats telling organisations about gaps in the fence but then immediately ending up in the cross hairs."
It was like removing the car keys from a neighbour's ignition
On whether it was right to take over the account, Boredbloke said: "I viewed it to be like seeing your neighbour's car sitting in their drive with keys in ignition and engine running for hours and hours. So I had taken the keys but if then caught with them by the police, I would have some explaining to do."
Eventually, after taunting the Army's official (and, apparently, better-manned) Twitter accounts the @77th_Brigade account, which Boredbloke renamed @79th_Brigade, was eventually recovered by the military – and was quickly locked so non-followers can't read its tweets.
Army social media psyops bods struggling to attract fresh bloodREAD MORE
In spite of its name, 77 Brigade is not an actual brigade, a military formation that normally covers thousands of personnel. Instead it is slightly smaller than a battalion, comprising around 450 bods compared to the 650 who are normally employed in a full-strength infantry unit.
A couple of years ago we reported that 77X was struggling to recruit. The unit is named after Brigadier Orde Wingate's famous Chindits of the Second World War, who carried out daring special ops raids many miles behind Japanese lines in the Far East.
Pointing out that 77 Bde, according to its own blurb, counts a number of people in its ranks "who think differently to the norm", Boredbloke concluded: "I assumed they would have had the whole Brigade trying to get control of an account that I had just dumped back into the wild. But nobody did. It just sat there. So I tried to get it back. And it worked, I got it back for the second time – but in this case I had warned them, told them, explained it in DMs and yet I could still do it."
Our source passed on this message, which will hopefully be read by someone who cares: "Can I suggest you set up a mechanism for vulnerabilities to be notified [and] that you have a business continuity plan in place for when this happens again?"
The Twitter account has since been made, er, private.
The Ministry of Defence denied that 77 Brigade had a Twitter account, with a spokeswoman telling us: “77th Brigade does not currently have any social media accounts. We were aware of a parody account posing as 77th Brigade.” ®
Sponsored: Becoming a Pragmatic Security Leader