Monday, June 13, 2011

The IMF Attack: When a State and its Hackers' Interests Coincide

The recent discovery that the International Monetary Fund had its network breached and mined for sensitive data over a period of several months is the latest in a non-stop round of significant cyber attacks dating back almost to the beginning of the year.

Here's what has been reported by the New York Times [1] and Bloomberg [2] through unconfirmed sources:

  • It preceded the arrest of former IMF director Dominique Strauss-Kahn (DSK) on May 14, 2011 [3]
  • It occurred over the last several months before being discovered [1]
  • It didn't involve the use of a duplicate RSA SecurID token [1]
  • A large quantity of data was taken including e-mail messages and documents [2]
  • It was reportedly state-based [2]
  • A staff memo issued on June 1 warned of phishing activity and urged IMF employees to not open any e-mail messages or click on video links without authenticating the source [2]



Who Probably Isn't Behind The Attack:
Brasil, Russia, India, China (BRIC)
Since the attack pre-dates the DSK arrest, we can probably rule out any motive related to who the next IMF managing director will be since DSK's term wasn't due to be up until 2012 [4]. There is a fight between the BRICs and the EU/US over who should run the IMF [5], whose director has always been from Europe or the U.S. but since the election is so far off, there doesn't seem to be a compelling reason for any of the BRIC states (Brazil, Russia, India, China) to be involved in the attack.

Anonymous
Although Anonymous had announced a DDoS attack against the IMF to protest its stringent budget controls attached to its bail-out loan for Greece, it was just recently called for (1 June) and the characteristics of the IMF attack don't fit Anon's operational model (DDOS using the LOIC).

Who Would Have Motive And Means:
The IMF has 187 member states and any one of them would probably benefit by having access to sensitive data stored on IMF servers, however only a small percentage have the means to run a believable spear phishing attack against a sophisticated target like the IMF. If you rule out the U.S. and the European Union as well as the BRICs, you'd be left with a handful of countries in Asia, Eurasia, and the Middle East. Relatively new loans are in the works for Egypt and Tunisia but they predate the onset of the attack if the reported timeline is accurate. [6] There was some discussion of a loan for South Korea last summer [7], but in February, 2011 the Bank of Korea loaned money to the IMF [8] so we can probably take South Korea off the list.

Belarus and Ukraine
My picks for the states as the most likely candidates behind the IMF attack are both in Eurasia: Belarus and Ukraine. Both have been involved with hotly contested and politically stressful IMF loans dating back many months and both have very active and skillful hacker populations for whom the IMF breach would be a piece of cake.

The IMF approved a $16B loan to Ukraine in August 2010 [9] but then suspended it over Ukraine's breach of terms because they were perceived as too unpopular to implement. [10] A similar situation occurred in Belarus which had a previous IMF loan of $3.5B in 2009 that was cancelled in late 2010 due to breaches in terms during the Presidential election. Now Belarus needs a new IMF loan of $8B in addition to $3B pledged to it by a Russian-led bailout fund. [11]

Hackers from Eastern Europe, including both Ukraine and Belarus, were involved in a high profile arrest last October for financial crimes spanning about one year against a series of banks that included HSBC, Royal Bank of Scotland, Barclays, and Lloyds TSB. [12] Then in early January, 2011, Brian Krebs reported on a spear phishing attack against U.S. government employees that pretended to be a Seasons Greetings card from the White House for the purpose of gaining access to sensitive networks then discovering and exfiltrating valuable data over a long period of time [13]. This second attack is a trademark of the Zeus malware gangs in Eastern Europe; also known as the Hilary Kneber crew. A technical write-up on the White House spear phishing attack can be found at the Contagio blog. The government of Belarus denied that any Belarus hackers were involved in the attack. [14]

SUMMARY
There's very little hard data in the public domain to review so this article should be taken as informed conjecture at best. However, based upon what has been reported by two respected news organizations and a couple of highly regarded journalists, this could very well be the work of Eastern European hackers who've been running very similar cyberespionage operations dating back to February 2010 with a spoofed NSA email and 24 hours later a spoofed email pretending to be from me warning "my" recipients of the NSA-themed spear phishing attack - both of which were very successful [15]. In the Russian Federation and the Commonwealth of Independent States (the former states of the Soviet Union), "useful" relationships between government and organized crime have been a fact of life for many years. That type of relationship is extended to professional hacker crews as well and if the interests of a government coincide temporarily with the interests of a skill set owned by some of its citizens, an IMF-type attack may very well be a win-win situation for both.



References:

[1] NY Times 11 Jun 2011 "IMF Reports Cyber Attack Led To Very Major Breach": http://www.nytimes.com/2011/06/12/world/12imf.html?_r=3&hp
[2] Bloomberg BusinessWeek 13 June 2011: "IMF State-backed Cyber Attack Follows Hacks of State Lab, G-20": http://www.businessweek.com/news/2011-06-13/imf-state-backed-cyber-attack-follows-hacks-of-atomic-lab-g-20.html
[3] NY Times 14 May 2011 "IMF Chief, Apprehended At Airport, Is Accused Of Sexual Attack": http://www.nytimes.com/2011/05/15/nyregion/imf-head-is-arrested-and-accused-of-sexual-attack.html
[4] International Monetary Fund press release 2 Nov 2007 "Terms of Appointment of Dominique Strauss-Kahn as Managing Director of the International Monetary Fund": http://www.imf.org/external/np/sec/pr/2007/pr07245.htm
[5] China Daily 15 Apr 2010 "BRIC Stacks Up Against IMF": http://www.chinadaily.com.cn/china/2010-04/15/content_9730877.htm
[6] The Guardian online 25 May 2011 "The IMF Versus The Arab Spring": http://www.guardian.co.uk/commentisfree/2011/may/25/imf-arab-spring-loans-egypt-tunisia
[7] Bloomberg BusinessWeek 24 July 2010 "SKorea, IMF work on emergency loan program": http://www.businessweek.com/ap/financialnews/D9H57PJ80.htm
[8] International Monetary Fund press release 16 Feb 2011 "IMF Signs SDR 500 Million Borrowing Agreement with the Bank of Korea to Support Lending to Low-Income Countries": http://www.imf.org/external/np/sec/pr/2011/pr1150.htm
[9] Ibid, August 11, 2010 "IMF Approves $15.1 Billion Loan for Ukraine": http://www.imf.org/external/pubs/ft/survey/so/2010/car081110a.htm
[10] Reuters 3 June 2011, "Ukraine cbank warns government on economy, urges IMF talks": http://www.reuters.com/article/2011/06/03/us-ukraine-cbank-idUSTRE7521ZX20110603
[11] The Moscow Times 6 June 2011 "Belarus Bailout Starting With $3Bln": http://www.themoscowtimes.com/business/article/belarus-bailout-starting-with-3bln/438209.html
[12] Telegraf 12 Oct 2010 "Belarusian Hackers were Involved in a Major International Scandal": http://telegraf.by/2010/09/belarusian-hackers-were-involved-in-a-major-international-scandal.html
[13] Krebs On Security blog 3 Jan 2011: "White House’ eCard Dupes Dot-Gov Geeks": http://krebsonsecurity.com/2011/01/white-house-ecard-dupes-dot-gov-geeks/#more-7269
[14] Telegraf 6 Jan 2011 "Information on Belarusian Hackers' Actions May be a "Canard," Interior Ministry": http://telegraf.by/2011/01/information-on-belarusian-hackers-actions-may-be-a-canard-interior-ministry.html
[15] Nart Villeneuve blog 1 March 2010 "The “Kneber” Botnet, Spear Phishing Attacks and Crimeware":
http://www.nartv.org/2010/03/01/the-kneber-botnet-spear-phishing-attacks-and-crimeware/

1 comment:

  1. Too bad we don't have the original spear-phish and/or malware, as it would surely contain clues which might help pinpoint the location of the attackers - keyboard character sets, metadata, linguistic cues, exploit code details, etc.

    ReplyDelete