IMF State-Backed Cyber-Attack Follows Hacks of Lab, G-20
The data theft from International Monetary Fund computers by hackers said to be linked to a foreign government follows incidents against companies and governments that illustrate the growth of cyber-attacks as an espionage tool.
The IMF hack resulted in the loss of a “large quantity” of data, including documents and e-mails, according to a person familiar with the incident, a security expert who declined to be identified because he wasn’t authorized to speak on the subject. This year, the Group of 20 and Oak Ridge National Laboratory have also come under cyber-attack.
The person said the intrusion was state-based, without saying which government is thought to be behind it. The Washington-based IMF approved a record $91.7 billion in emergency loans last year and provides a third of bailout packages in Europe.
“The value of what’s being lost in these cyber-attacks is increasing at a very fast rate,” Sami Saydjari, the founder of Cyber Defense Agency in Wisconsin Rapids, Wisconsin, said in an interview this year before the latest attacks. “There are two perpetrators that are most concerning. One is organized crime, the other is nation-states, and they are both quite serious.”
Chinese-based hackers gained access to private Gmail accounts of senior U.S. officials and journalists this month, according to Google Inc. (GOOG) Defense contractor Lockheed Martin Corp. (LMT) was hacked in May. Computers at Hopkinton, Massachusetts- based EMC Corp.’s RSA Security division were infiltrated in March by hackers who stole technology used to protect other U.S. government and corporate networks.
Google, based in Mountain View, California, traced the breach of Gmail accounts to the city of Jinan in Shandong Province, the site of a vocational school associated with the Chinese military. Kevin Kempskie, an RSA spokesman, didn’t specify who was linked to the RSA attack.
The same attackers used data stolen from RSA to gain access to Bethesda, Maryland-based Lockheed Martin’s computer network, RSA said this month. The pattern of the attacks against RSA and Lockheed Martin confirmed RSA’s suspicion that the hackers were seeking national security information and weren’t out for financial gain, according to RSA.
David Hawley, an IMF spokesman, on June 11 declined to discuss details of the attack on the fund.
Fund employees were alerted about hackers this month and “strongly requested not to open e-mails and video links without authenticating the source,” according to a copy of a staff memo provided to Bloomberg News.
An e-mail from the IMF’s chief information officer, Jonathan Palmer, warned employees of “increased phishing activity.” Phishing is the practice of obtaining information such as computer user names or passwords under false pretenses. Palmer instructed employees on how to detect and respond to cyber-attackers, warning them not to divulge their passwords or open “unexpected documents.”
According to one IMF memo, the fund’s network connection to the World Bank was severed “as a precautionary measure.”
On June 1, the IMF’s information technology department sent an e-mail to employees with the subject line “Important Notice: Virus Attacks.” It warned of attempts to hack into the system.
“Staff are strongly requested NOT TO OPEN e-mails and video links without authenticating the source,” the e-mail said.
Anup Ghosh, chief executive officer of Invincea Inc., a Fairfax, Virginia-based cyber-security company, said the warning suggests computer worms were downloaded into the IMF’s networks through so-called spear phishing, which involves sending e-mails that appear to come from colleagues or other officials. He said the technique is associated with directed attacks for espionage.
The warnings to employees suggested that the IMF believes efforts to penetrate the organization’s computer networks are on-going, Ghosh said.
In an attack on the Oak Ridge National Laboratory this year, a malicious program was downloaded through an e-mail purporting to come from the human resources department. Ten percent of the 570 recipients clicked on a link, infecting of several machines connected to the lab’s network, Ghosh said.
The Tennessee-based lab was founded in 1943 to support the Manhattan Project and works with the U.S. Energy Department.
In February, France’s budget minister, Francois Baroin, said the finance ministry was targeted in a cyber-attack aimed at stealing files on the G-20 summit in Paris. The attack was traced to Internet addresses in China, while there was no evidence it was directly linked to the Chinese government, the French publication Paris Match said at the time.
Several countries are known to use hacking as a tool in espionage, including China, according to Mike Hayden, a former director of the Central Intelligence Agency.
“China is a state that is very aggressive at collecting intelligence through these means,” Hayden said in an interview with Bloomberg News in February. “They are not bashful at all.”
This month’s hacking of Gmail accounts originated in the same city as an operation against Google computers and the computers of at least 20 other major U.S. companies in 2009 in what was known as Operation Aurora. Leaked U.S. diplomatic cables published by WikiLeaks said that attack was directed by high-level officials in the Chinese government security apparatus.
“Our species has never put as much of its knowledge into the electromagnetic spectrum as it has now,” Hayden said. “Everything important exists out there in ones and zeroes.”