SEC的X帳號提前洩露比特幣現貨ETF消息，是因遭到SIM卡置換攻擊

美國證券交易委員會（SEC）在今年1月10日宣布，正式批准包括比特幣（Bitcoin）現貨ETF在內的交易所交易產品（ETP）的上市與交易，然而，此一消息提前在1月9日透過SEC的X官方帳號@SECGov曝光，SEC周一（1/22）公布此一意外事件的調查結果，指出駭客透過SIM卡置換攻擊存取了@SECGov帳號，逕自發布相關資訊。

The United States Securities and Exchange Commission (SEC) announced Sclank'sad ScSec.

SEC的X帳號@SECGov在1月9日發布了批准比特幣現貨ETF的消息，15分鐘後SEC即宣稱該帳號遭到盜用，且該消息並非由SEC所起草、建立或發布，使得比特幣的價格在短短的時間之內先上飆至48,000美元，再下滑至45,000美元。當時，市場亦不知其實SEC隔天便會正式宣布此事。

The X account of the SEC @SECGov, which issued an ETF approval on January 9, announced 15 minutes later that the account had been stolen and that the information had not been drawn up, created or distributed by the SEC, causing the price of the bitcoin to rise to US$ 48,000 in a short period of time, and then down to US$ 45,000. At that time, the market did not know that the SEC would officially announce the matter the following day.

總之，此一意外讓SEC、SEC監察長辦公室及美國聯邦調查局（FBI）聯手展開調查，在諮詢SEC的電信營運商之後，確定駭客是透過SIM卡置換攻擊，取得了與@SECGov相關的電話號碼控制權。SIM卡置換指的是在未經用戶授權，便將電話號碼轉至另一臺裝置的技術，允許未經授權的一方開始接收與該號碼相關的語音及簡訊。

In any event, this unexpected investigation brought together the SEC, the SEC Supervisory Director’s Office and the United States Federal Bureau of Investigation (FBI) to ascertain, after consulting the SEC telecom operator, that the hacker had obtained phone number control over @SECGov via SIM card replacement. The SIM card replacement refers to the technology of transferring the phone number to another device without a user’s authorization, allowing the unauthorized party to start receiving voice and text messages related to the number.

駭客在控制了@SECGov帳號的電話號碼之後，重置了該帳號的密碼。目前執法部門仍在調查駭客如何讓電信營運商變更該帳號的SIM卡，也正企圖釐清駭客如何知道@SECGov帳號所連結的電話號碼。

After controlling the number of the @SECGov account, the hacker changed the password for the account. The law enforcement department is still investigating how the hacker changed the SIM card for the account and is trying to clarify how the hacker knows the number of the @SECGov account.

然而，此一意外之所以會發生的另一個主要原因在於，攻擊當下@SECGov帳號並未啟用多因素身分驗證。

However, another major reason for this accident is that the current @SECGov account did not allow for multi-factor identification.

SEC說明，最初@SECGov帳號是啟用多因素身分驗證（MFA）機制的，但在2023年7月時，因要存取該帳號時發生問題，X技術支援部在SEC員工的要求下關閉了該帳號，SEC員工卻在重新建立帳號存取權之後，沒有重新啟用MFA，一直到日前遭到SIM卡置換攻擊。現在SEC已在所使用的所有社交媒體帳號上都啟用了MFA。

SEC states that the @SECGov account was originally designed to operate a multi-factor identification (MFA) scheme, but in July 2023 there was a problem with accessing the account, which was shut down by X Tech Support at the request of SEC employees, who, after re-establishing their account access rights, did not re-activate the MFA and were attacked by an earlier SIM card replacement.

SEC也強調，該攻擊是透過電信營運商執行，而非SEC系統，且除了X上的@SECGov帳號之外，目前並未發現駭客存取SEC系統、資料、裝置或其他社交媒體帳號的證據。

SEC also stressed that the attack was carried out through a telecom operator, not the SEC system, and that there was no evidence of hackers accessing the SEC system, data, devices or other social media accounts other than the X @SECGov account.