Friday, July 22, 2011

Is It In China's Interest To Breach IMF Servers? No.

Yesterday, Bloomberg News ran a story announcing "China-Based Spies Said To Be Behind Hacking In Investigators' View":
Investigators probing the recent ransacking of International Monetary Fund computers have concluded the attack was carried out by cyber spies connected to China, according to two people close to the investigation.
The article goes on to provide general details about why:
Evidence pointing to China includes an analysis of the attack methods, as well as the electronic trail left by hackers as they removed large quantities of documents from the IMF’s computers. The multistaged attack, which used U.S.-based servers as part of their equipment, ended on May 31, people involved in the investigation said on the condition they not be identified because they aren’t authorized to speak about it.
The article goes on to further specify that the analysis includes "analyzing the code left behind in networks and tracing patterns in multiple attacks that may use the same infrastructure." This sounds to me like the automated analysis performed by something like HB Gary's "Digital DNA". The problem with that solution and others like it is that while it can analyze commonalities in the tools used as well as the malware code, it cannot discern the nationality of the hackers responsible and certainly not the nation state that may have engaged them. A Remote Access Tool that was created by a Chinese-speaking person doesn't mean that it was used by a Chinese hacker working on behalf of the State Council or a Chinese Intelligence agency. Those tools are broadly available and used by black hats all over the world.

The more important thing to look at is motivation. Why should China be interested in hacking into an organization that it's one of the most powerful members of? On October 28, 2010, the IMF approved the G20 Agreement on Quotas and Governance which amended the list of its top ten largest shareholders to be the "United States, Japan, the BRICs (Brazil, China, India and Russia), and the four largest European countries (France, Germany, Italy, and United Kingdom)." Canada and Saudi Arabia lost their former top ten positions. In fact, according to this IMF fact sheet on Quotas, China is now the third most powerful member in the IMF. Unless someone can come up with a strong motivation for China wanting to hack an organization that it is the third largest contributor to, I think the blame lies elsewhere.

Related:
The IMF Attack: When A State And Its Hackers Interests Coincide
7 Reasons Why China Isn't The World's Biggest Cyber Threat (And Who Is)
Richard Clarke Should Get His Facts Straight On Cybersecurity And China

No comments:

Post a Comment