Security Experts:

Was the IMF Hacked by its Own Members?

A recent cyber attack on the IMF resulted in the loss of a “large quantity” of data, including emails and documents, a person familiar with the incident told Bloomberg.

Many experts believe the incident was a state-sponsored attack connected to foreign governments, and while the IMF has been quiet on the issue, if this is the case, it’s likely that the attacker could be an IMF member.

IMF Cyber AttackThe International Monetary Fund (IMF), with 187 member countries, oversees the international monetary system and monitors the financial and economic policies of its members, working to bring stability in the international system, facilitate international trade, and promote high employment and sustainable economic growth around the world.

It keeps track of economic developments on a national, regional, and global basis, consulting regularly with member countries and providing them with macroeconomic and financial policy advice.

Sources have said that an internal memo coming from Chief Information Officer Jonathan Palmer told IMF employees that suspicious file transfers were detected and that a desktop computer at the organization had been compromised. Palmer warned employees to be on guard and to watch for phishing attacks and other malicious files and links. “Last week we detected some suspicious file transfers, and the subsequent investigation established that a Fund desktop computer had been compromised and used to access some Fund systems,” Palmer wrote.

"The IMF attack was clearly designed to infiltrate the IMF with the intention of gaining sensitive 'insider privileged information'," Mohan Koo, a cyber security specialist and Managing Director at Dtex Systems, told Reuters in London.

Tom Kellerman, CTO at AirPatrol, and who formerly worked for both the IMF and the World Bank, told Reuters that the attackers had aimed to install software that would give a nation state a "digital insider presence" on the IMF network. “The code used in the IMF incident was developed specifically for the attack on the institution,” Kellerman said.

While the IMF is reportedly replacing its RSA SecurID tokens, the organization doesn’t believe there is a connection. “Nothing indicates that the SecurID tokens played a role in this intrusion,” Palmer said in the memo. "The International Monetary Fund stated in The New York Times article on Saturday, June 11, that it did not believe that the intrusion into its systems was related to the attack on RSA’s systems that took place in March," an RSA spokesman told SecurityWeek. Documentation obtained by SecurityWeek revealed that the IMF has used RSA SecurID tokens in its extranet system.

In response to the incident, the IMF said it severed its network connection to the World Bank as an additional security measure.

"Hackers are using what are well-understood techniques, such as spear phishing, to compromise some of the most important computer systems around the world,” said Mark Hatton, president and CEO of Core Security. “There are tools that could help train users and organizations to be more aware of these attacks and prevent them from being successful, but most organizations don’t utilize them for fear of being politically correct. Only a fraction of global companies test their end users, as the red tape and HR concerns make it a political nightmare,” Hatton added.

2011 has seen a spike in high profile attacks. Last week, Citibank reported that approximately 210,000 of its credit card customers were affected by an online service breach. Other recent successful cyber attacks include HB Gary, Sony, RSA, Comodo, and more.

Why the recent uptick in attacks? “The answer seems to lie in the fact that the growing complexity of enterprise network infrastructure is introducing too many potential attack vectors for understaffed security team to properly close off,” According to Adam Power, CTO at Lancope, a provider of security and performance monitoring solutions. “Web 2.0 technology has made it all too easy to deploy complex, feature-rich application to the web. As companies make more and more services available to their Internet users the potential attack surface grows,” Powers adds. “If an attacker can't find a hole in one web app for a given target company, they can just try another of the company's ten different web-based apps.”

“Hackers are not looking to ‘force’ their way in. The path of least resistance is to trick an end user into clicking on something that they shouldn’t,” Core Security’s Hatton added. “Again, Defensive-minded approaches are not enough, as these attacker are going right to the soft underbelly of security, people. What is needed is a proactive approach to test systems for breaches before they occur. It's time for the security professionals to think like the hackers do.”

Motives Unknown

While it’s unclear what the motives were behind the IMF attack, and what data was taken, the IMF maintains extremely sensitive information on global economies and discussions and negotiations taking place between world governments and the organization. This information is extremely valuable.

In February 2011, the NASDAQ acknowledged that its Directors Desk, a platform used by over 10,000 board members to communicate and collaborate securely, had been compromised and had been infected with an undisclosed “suspicious file.” Successfully gaining access to communications taking place on the Directors Desk platform would provide incredible inside information, which could lead to serious profits. A similar situation could be realized with inside information extracted from the IMF.

It’s unclear what nation, if any, may be behind the attack, but by default, and based on recent attacks, fingers typically point to China. “China is a state that is very aggressive at collecting intelligence through these means,” Mike Hayden, a former director of the Central Intelligence Agency said in an interview with Bloomberg News in February. “They are not bashful at all,” Hayden added.

Is the attack nation sponsored espionage coming from a country looking to gather inside information on governments from around the world? Or is the attack part of a cybercrime ring looking to gather confidential information on global markets with intent to profit? Only time will tell, but it could be part of a larger scheme to disrupt financial markets.

Alexander Klimburg, a cyber security specialist at the Austrian Institute for International Affairs, told Reuters the effort to siphon sensitive information from the IMF could be a "Name and Shame" initiative. "This is potentially a great opportunity to launch a 'communal' investigation into an attack on a 'communal' institution," Klimburg told Reuters. "If fingers can be pointed, they should be pointed. The only way to stop such attacks is 'naming and shaming', and in this case, unlike those of individual national governments, there is a clear global interest at stake."

Hedge fund manager Doug Kass of Seabreeze Partners Management, called a “Master market timer and predictor” by CNBC, made a bold prediction during CNBC’s Fast Money program in December 2010. “The Internet becomes the tactical nuke of the digital age. I believe that cybercrime is going explode exponentially next year as the Web is invaded by hackers. And My surprise is that we will see a specific attack on the New York Stock Exchange which has a profound impact, causes a week long hiatus in trading which will cause abrupt slowdown in travel and domestic business,” Kass said.

SecurityWeek contributor Matt Hines wrote a column in February on how subtle manipulation via cyber attacks could slowly turn electronic markets on their heads by corrupting their very legitimacy. “Print this post out, ball it up, and throw it on the FUD fire if you like, though I myself believe it to be true,” Hines writes.

The IMF has not responded to an inquiry from SecurityWeek sent over the weekend.

Subscribe to the SecurityWeek Email Briefing
view counter