IMF confirms attack, as rumours of spear-phishing and nation-sponsorship begin

News by Dan Raywood

The International Monetary Fund (IMF) has confirmed that it was hit by a large and sophisticated cyber attack.

The International Monetary Fund (IMF) has confirmed that it was hit by a large and sophisticated cyber attack.

While the IMF is without a leader following scandal surrounding former managing director Dominique Strauss-Kahn, a spokesperson confirmed that there had been ‘a very major breach' of its systems recently.

According to media reports, cyber security officials said the hack was designed to install software to create a ‘digital insider presence'. It was also reported by Bloomberg that according to one IMF memo, the fund's network connection to the World Bank was severed ‘as a precautionary measure'.

IMF spokesperson David Hawley told BBC News that it was not in a position to elaborate further on the extent of the cyber security incident, but said: “I can confirm that we are investigating an incident.”

According to the New York Times, Hawley said that it was investigating the incident and that the fund remained fully functional. The New York Times also claimed that officials declined to say where they believe the attack originated a delicate subject because most nations are members of the fund, but speculated that the attack may originate to a spear phishing attack.

BBC News also reported that an IMF staff had been told of the intrusion by email which warned of 'suspicious file transfers' that had been detected and that an investigation had shown a desktop at the fund had been ‘compromised and used to access some Fund systems'.

Bloomberg also reported that according to a person familiar with the incident who chose to remain anonymous, the intrusion was nation-sponsored.

Stewart Room, partner at Field Fisher Waterhouse, called the news ‘deeply troubling', as it provides further evidence of systematic attacks on critical infrastructures and systems.

He said: “How long will these attacks be tolerated before politicians react to pass general legislation for cyber security? Legislation is desperately needed. The first priority is to protect critical infrastructures, but we should be cautious not to end there.

“There is no bright line test to determine what is critical infrastructure and it would be much more appropriate in my opinion to introduce legislation that contains a general obligation for security where a person or organisation is in control of data and/or computer and communications systems, the resilience of which needs to be assured in order to prevent harm to national interests, society, the economy or individuals.”

David Harley, senior research fellow at ESET, said: “In the absence of any detailed information from the IMF itself, it's not surprising that most of the surmise around the attack is based on internal IMF memos quoted by Bloomberg and much of it is rather tenuous. So we learn from various sources that the attack precedes the arrest of Dominique Strauss-Kahn (which seems to have little or nothing to do with it), that it wasn't connected to an attack by Anonymous (LulzSec were apparently too busy publicizing porn-site-related info) or to RSA SecureID tokens, and that the IMF believe no personal information was ‘sought for fraud purposes'.

“In other words, we know more about what it probably wasn't than we do about what it was, though it may have been associated with a spear-phishing attack. Leaving aside the what and how, the other interesting question is ‘why?' Bloomberg quite unequivocally ascribe it to a ‘state-based attack', which suggests someone exploring the possibility of the sort of global finance-directed attacks that probably keep all our leaders awake at night.

“So is it a targeted ‘spear-phishing' affair or ‘testing the waters' to see what's there? Either way, it seems that someone is interested in using information in ways that could go far beyond market-moving cyber crime to all-out economic warfare.”

Ross Brewer, vice president and managing director for international markets at LogRhythm, said: “As yet another high profile organisation falls victim to a data breach we are once again forced to question whether it is actually possible to protect data from hackers. The sheer number of headline grabbing incidents suggests that attempts to prevent cyber attacks from occurring in the first place may be ineffective and that a new approach is required.”

Mark Darvill, director at AEP Networks, said that what concerned him was the fact that the attack took place over several months and was targeted at an individual employee.

“The attempt to establish a fake ‘digital insider presence', whether it is another state or a malicious individual, needs to be looked at extremely carefully. Once something is digitally signed, it is essentially assumed legitimate and given roaming rights,” he said.

“The possibility of a large-scale cyber attack disrupting our power, finance, security and governmental systems is becoming more and more of a possibility in today's world. Organisations holding vital information that support our economy or protect our critical infrastructure need to scale up their security measures if they are to avoid falling victim to such attacks.”

Commenting on the fact that this attack was possibly caused by spear phishing, David Beesley, MD of consultancy Network Defence said: “As we've seen, it makes these attacks effective against any size of organisation. Really, firms need to use a mix of user education and layered security solutions to defend themselves. Employees should be aware that even plausible-looking emails should be treated with suspicion and IT teams should look at their anti-virus and anti-spam solutions to try and stop malware propagating.”

Richard Walters, CTO of Invictis, said: “The severity and extent of the infiltration of systems at the IMF is further evidence that state-sponsored highly-targeted custom written attack code is becoming increasingly widespread.

“Current security point products are not providing adequate prevention and in the case of the IMF, with the attack taking place over several months, clearly insufficient analysis of outbound traffic was taking place even to provide timely detection of the 'suspicious file transfers'.

“Organisations, including global enterprises, need to be aware of exactly how complex the 'products' of organised criminal owned and state-sponsored 'software factories' are becoming. Right now they are being consistently out-manoeuvred and losing the game of chess albeit against formidable adversaries.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews