IMF Breach May Be State-Sponsored Spear Phishing Attack

The International Monetary Fund was targeted by attackers over several months earlier this year, The New York Times reported. Many security experts are speculating the attackers may have had some support from a nation-state.

The cyber-attackers appeared to have deliberately infected a computer at the IMF with malware designed to steal information, according to The New York Times. The intrusion was “a very major breach,” an anonymous official said in the June 12 article.

IMF employees received email warnings on June 1 about “increased phishing activity” and were instructed to not open emails from unknown senders, access unexpected attachments or click on video links. While employees and IMF board members reportedly received an internal memo on June 8 about the actual cyber-attacks, the IMF has yet to publicly acknowledge the incident.

“We are investigating an incident, and the fund is fully functional,” David Hawley, a spokesman for the IMF said, but declined to provide any details.

“Suspicious file transfers” had been detected and an IMF computer had been “compromised and used to access some Fund systems,” an internal memo said, adding there was “no reason to believe that any personal information was sought for fraud purposes.” It is not clear what data, if any, may have been stolen.

An anonymous security expert told Bloomberg that the cyber-attack was state-sponsored but did not name any countries. While the attack must have been very sophisticated, the very nature of the organization that was attacked makes the accusation more plausible, Adam Vincent, CEO of CyberSquared, told eWEEK. The information held by the IMF would be more valuable to a country than to an individual.

Washington-based IMF is an organization of 187 countries that stabilizes global finances. IMF approved $91.7 billion in emergency loans in 2010 and provided bailout packages for a number of countries in Europe and around the world. The IMF’s servers contain financial information for its member countries as well as private details of negotiations on the terms of bailout programs. The information would be considered “political dynamite,” an IMF official said.

The World Bank briefly cut its network connection with the IMF out of “an abundance of caution” but resumed normal operations, the BBC reported.

The malware created a “digital insider presence” on the compromised PC and was likely the result of a spear phishing attack, said Vincent. While phishing attacks are often used to steal login credentials and credit card information, spear phishing is a “great way” for attackers to compromise a machine and get a foothold into the network, Vincent said.

Spear phishing succeeds because the attackers are following the “path of least resistance” to trick users into clicking on something they shouldn’t, Mark Hatton, president and CEO of Core Security, told eWEEK. “Hackers are not looking to 'force' their way in,” Hatton said.

Organizations can defend against these attacks, Hatton said. Instead of just taking defensive methods, security professionals need to “think like the hackers do” and use proactive methods to prepare their network and train their users, according to Hatton.

An advanced persistent threat such as this incident is not new and organizations have been under attack over the past 10 years or so, Vincent said. What has changed is the willingness amongst organizations to acknowledge being victims. If Google and RSA Security can get hacked, then it’s okay to admit they’ve been attacked. “People are feeling more comfortable standing up and saying ‘me too,’” Vincent said.

Attackers have widened their list of targets substantially in recent years, according to Vincent. Ten years ago, most APTs focused on governments and five years ago, most targets were government contractors. The recent attacks have shown that “anyone in the supply chain” can be attacked, Vincent said.

The IMF also relies on RSA SecurID tokens for authenticating users, but did not believe that the cyber-intrusion was linked to the tokens, The New York Times said. Attackers stole information relating to the two-factor authentication technology from RSA Security in March and used it to attack defense contractor Lockheed Martin last month.

The attacks occurred before the recent scandal broke about Dominique Strauss-Kahn, the IMF chief, being arrested on charges of assaulting a maid in a New York hotel, according to The New York Times.