IMF Attack: 1 of Dozens of Breaches?Analyst Says 'It's Time to Roll Out the Defenses'
On June 12, The Wall Street Journal reported IMF spokesman David Hawley confirming that "an IT incident" had affected IMF's systems, and that staff had been notified to report anything suspicious going forward. "We're investigating it, and the fund is completely functional," Hawley said.
The IMF, a multinational organization that supports global monetary cooperation, financial stability and international trade, last week reportedly suffered an attack to its computer system. The IMF holds confidential information about numerous countries in financial trouble.
The Federal Bureau of Investigation is reportedly investigating the incident.
After word of the breach was publicized over the weekend, the World Bank deactivated a cyberlink it has with the IMF, one that allows the two organizations to share non-sensitive information and collaborate on economic concerns of member nations.
A former cybersecurity specialist at the World Bank, who told The Wall Street Journal he had been tracking the IMF incident, says the attack on IMF was perpetrated by a new kind of malware, one that gave hackers broad access and views of IMF's systems - perhaps designed to gain market-moving insider information.
Online security specialist Neil Schwartzman says the World Bank's precautionary step to sever its cyberconnection with IMF was the best security decision the World Bank could have made. "The World Bank, in cutting their computer link to the IMF, has stumbled upon one of the most effective ways to protect computer data: by taking the data offline," he says. "There really are no solutions to these issues. ... We need to improve our locks, appropriately, but also consider keeping our most valuable assets with us at all times."
The IMF incident is the second known attack on a financial network in the past week. Just days before the IMF, Citigroup acknowledged its Citi Account Online platform had been hacked, possibly exposing personally identifiable information about hundreds of thousands of Citi customers. [See Citi Breach Exposes Card Data.]
Given the timing of the IMF breach, on the heels of so many similar incidents, Litan speculates that they could be connected.
"It appears as though there are still dozens of similar yet still undisclosed breaches that have taken place in the U.S. government and defense domain during the same time frame," says Litan, vice president and distinguished analyst at Gartner Research. "My guess is that it is the same set of bad actors who are behind the attacks focused on military, government and economic intelligence. Of course, no one knows who the attackers are, and some seem to think they may be government agents. It seems more likely that they may be highly unethical individuals and contractors using these attacks for financial gain as they compete for business in seemingly legitimate ways."
Phishing: Likely CulpritThe IMF breach was likely initiated via a targeted spear phishing attack that compromised someone internally, Litan says.
"It sounds, from the basic and minimal reports so far, that the bad actors used similar tactics as have been used in most of the recent breaches that have taken place lately," she says. "That is, hacking into systems through spear phishing that downloads malware to employee desktops which is then used to infiltrate systems through regular employee user accounts."
Although potentially devastating, these breaches are preventable, Litan says. "These types of attacks can be stopped with a layered fraud-prevention approach that starts with secure browsing and includes multiple layers of user and account monitoring, and appropriate interventions."
Dave Jevans, chairman of online security vendor IronKey Inc. and the Anti-Phishing Working Group, a consortium of more than 1,500 financial-services companies, Internet service providers, law enforcement agencies and technology vendors dedicated to fighting e-mail fraud and identity theft online, says security managers should consider investing in browser-isolation products, which secure the browsing environment, even on computers infected with so-called crimeware.
"Firewalls and authentication tokens to keep attackers outside of networks are no longer sufficient, as attackers continue to focus attacks by infecting computers of customers and employees with undetected crimeware, often distributed through targeted spear phishing," Jevans says. "If an employee brings an infected computer to work, or logs in remotely over a VPN, the criminals will have their backdoor into the network."
Other recent headline-grabbing breaches, such as attacks on Google's Gmail, Sony, Epsilon and RSA Security, have severely shaken confidence in common network security practices. Most notable to date is the attack on RSA Security, which announced last week that the March breach of its SecurID multifactor authentication tokens was linked to subsequent breaches at Lockheed Martin Corp. and L-3 Communications Holdings Inc. Lockheed Martin and L-3 are both government contractors. [See RSA: SecurID Hack Tied to Lockheed Attack and Sony, Epsilon Testify Before Congress.]
"One thing is certain: Many agencies and firms in multiple sectors are under severe cyberattack, not only in the U.S., where the breaches are occasionally disclosed, but all across the globe," Litan says. "It's time to roll out the defenses against them in earnest. There's no reason why the good guys can't keep these bad guys out."