Cyber Threat Actor: Christine Moses Email Hacker

The threat actor known by the alias Christine Moses Email Hacker is publicly associated with a single documented incident targeting the Lake Oswego School District in the United States on or around July 5, 2018. This alias directly references the method of initial compromise, where an employee's email account was accessed without authorization. The attacker then used that compromised account to send phishing links to approximately 200 students. Concurrently or subsequently, the district's official Twitter account was also breached and used to post an unauthorized message announcing a false change in ownership. While the phishing email campaign preceded the Twitter account takeover, investigators at the time did not establish a definitive technical link connecting the two events to the same actor or actors, leaving the full scope of the intrusion uncertain.

The observable tactics, techniques, and procedures (TTPs) from this reported operation involve credential compromise leading to social engineering and account takeover. The primary initial access vector was the unauthorized access to a specific employee's email account, which served as a trusted platform to launch a phishing attack against a broader student population. This demonstrates a focus on leveraging compromised legitimate accounts for lateral phishing within an organization's community. The secondary action, the hijacking of the district's Twitter account, indicates an additional objective of public disruption or reputational harm through a high-visibility social media channel. No specific malware families, custom tools, or broader infrastructure are described in the public reporting. The attacker's strategic objectives appear to combine elements of credential harvesting via phishing with direct public messaging disruption, though the ultimate motive—whether financial gain, notoriety, or a test of capabilities—remains unspecified. No state sponsorship, criminal consortium affiliation, or other campaigns are credibly attributed to this alias in available public sources, and the incident report explicitly notes that the extent of any deeper system access or additional compromise was unclear.