The attack on the global financial organization International Monetary Fund appears to have been triggered by a spear phishing attack. Security experts are speculating it was state-sponsored.
The International Monetary Fund was targeted by attackers
over several months earlier this year, The New York Times reported. Many
security experts are speculating the attackers may have had some support from a
The cyber-attackers appeared to have deliberately infected a
computer at the IMF with malware designed to steal information, according to The New York Times
. The intrusion was "a very major breach," an anonymous
official said in the June 12 article.
IMF employees received email warnings on June 1 about
"increased phishing activity" and were instructed to not open emails from
unknown senders, access unexpected attachments or click on video links. While
employees and IMF board members reportedly received an internal memo on June 8
about the actual cyber-attacks, the IMF has yet to publicly acknowledge the
"We are investigating an incident, and the fund is fully
functional," David Hawley, a spokesman for the IMF said, but declined to
provide any details.
"Suspicious file transfers" had been detected and an IMF
computer had been "compromised and used to access some Fund systems," an
internal memo said, adding there was "no reason to believe that any personal
information was sought for fraud purposes." It is not clear what data, if any,
may have been stolen.
told Bloomberg that the cyber-attack was state-sponsored
but did not name any countries. While the attack must have been very
sophisticated, the very nature of the organization that was attacked makes the
accusation more plausible, Adam Vincent, CEO of CyberSquared, told eWEEK. The
information held by the IMF would be more valuable to a country than to an
Washington-based IMF is an organization of 187 countries
that stabilizes global finances. IMF approved $91.7 billion in emergency loans
in 2010 and provided bailout packages for a number of countries in Europe and
around the world. The IMF's servers contain financial information for its
member countries as well as private details of negotiations on the terms of
bailout programs. The information would be considered "political dynamite," an
IMF official said.
The World Bank briefly cut its network connection with the
IMF out of "an abundance of caution" but resumed normal operations, the BBC
The malware created a "digital insider presence" on the
compromised PC and was likely the result of a spear phishing attack, said
Vincent. While phishing attacks are often used to steal login credentials and
credit card information, spear phishing is a "great way" for attackers to
compromise a machine and get a foothold into the network, Vincent said.
Spear phishing succeeds because the attackers are following
the "path of least resistance" to trick users into clicking on something they
shouldn't, Mark Hatton, president and CEO of Core Security, told eWEEK. "Hackers
are not looking to 'force' their way in," Hatton said.
Organizations can defend against these attacks, Hatton said.
Instead of just taking defensive methods, security professionals need to "think
like the hackers do" and use proactive methods to prepare their network and
train their users, according to Hatton.
An advanced persistent threat such as this incident is not
new and organizations have been under attack over the past 10 years or so,
Vincent said. What has changed is the willingness amongst organizations to
acknowledge being victims. If Google
and RSA Security
can get hacked, then it's okay to
admit they've been attacked. "People are feeling more comfortable standing up
and saying -me too,'" Vincent said.
Attackers have widened their list of targets substantially
in recent years, according to Vincent. Ten years ago, most APTs focused on
governments and five years ago, most targets were government contractors. The
recent attacks have shown that "anyone in the supply chain" can be attacked,
The IMF also relies on RSA SecurID tokens for authenticating
users, but did not believe that the cyber-intrusion was linked to the
tokens, The New York Times said. Attackers stole information relating
to the two-factor
authentication technology from RSA Security in March and used it to
defense contractor Lockheed Martin
The attacks occurred before the recent scandal broke about
Dominique Strauss-Kahn, the IMF chief, being arrested on charges of assaulting a maid in a
New York hotel, according to The New York Times.