[Update: that article "IMF and the weakest link" is now up on SC Magazine's Cybercrime Corner.]

In a recent article for SC Magazine (I'll post the link here when it gets posted) on the International Monetary Fund security breach, I focused on the implications of technological versus psychosocial threats and countermeasures. Not, of course, the first time I've talked about that dichotomy: in fact, Randy Abrams and I wrote a paper on the topic in 2008 for the AVAR conference: "People Patching: Is User Education Of Any Use At All?". (If you read the paper, you'll know that in my opinion, the answer is yes.)

In the absence of any detailed information from the IMF itself, it's not surprising that most of the surmise around the attack is based on internal IMF memos quoted by Bloomberg, and much of it is rather tenuous. So we learn from various sources that the attack precedes the arrest of Dominique Strauss-Kahn (which seems to have little or nothing to do with it), that it wasn't connected to an attack by Anonymous - LulzSec were apparently too busy publicizing porn-site-related info - or to RSA SecureID tokens, and that IMF believe no personal information was "sought for fraud purposes". In other words, we know more about what it probably wasn't than we do about what it was, though it may have been associated with a spear-phishing attack.

Leaving aside the what and how, the other interesting question is "why?" Bloomberg quite unequivocally ascribe it to a "state-based attack", which suggests someone exploring the possibility of the sort of global finance-directed attacks that probably keep all our leaders awake at night. At least, since the IMF brokers sensitive transactions of national and global importance such as recent economic bailouts for European countries like Portugal, I really hope they are worrying. Clearly, the World Bank does: it severed the direct computer links between itself and the IMF, and temporarily shut down external access to its own most sensitive systems.

So is it a targeted "spear-phishing" affair, or "testing the waters" to see what's there? Either way, it seems that someone is interested in using information in ways that could go far beyond "market-moving" cybercrime to all-out economic warfare.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow