08:32 PM
George V. Hulme
George V. Hulme

World Bank (Allegedly) Hacked

It seems, based on a FoxNews.com report that broke Friday that the World Bank Group suffered a series of cyberattacks during the past few months. The claims of the level of access gained by the attackers are troubling -- but the real extent of the breach remains in dispute, and unknown.

It seems, based on a FoxNews.com report that broke Friday that the World Bank Group suffered a series of cyberattacks during the past few months. The claims of the level of access gained by the attackers are troubling -- but the real extent of the breach remains in dispute, and unknown.These days, it's tough for any bank to ask for trust from the public. But that's essentially what the poverty-fighting World Bank Group is asking us right now. Trust us: We haven't put the money you've loaned us at risk. The risk this time doesn't involve overleveraged loans or the failure to mark collateralized loans to fair market value. Instead, the risk comes from whether the World Bank took reasonable steps to secure its infrastructure, to what level it was breached, and if it's now being straightforward with the (little) public disclosure the organization has provided so far.

Before we take a look at the FoxNews.com report, let's look at what the World Bank said after the news story went public:

"The Fox News story is wrong and is riddled with falsehoods and errors. The story cites misinformation from unattributed sources and leaked emails that are taken out of context.

"Like other public and private institutions, the World Bank has repeatedly experienced hacking attacks on its computer systems and is constantly updating its security to defeat these. But at no point has a hacking attack accessed sensitive information in the World Bank's Treasury, procurement, anti-corruption or human resources departments."

To FoxNews.com's credit, they claim to have reached out to World Bank officials before running with the story:

Requests for on-the-record interviews with Zoellick and other top officials were declined.

Perhaps it would have been a better idea for the World Bank to share, even what little it could have without jeopardizing any current investigations, before the story ran. At least it would have been proactive in its argument against the "falsehoods," "errors," "misinformation," and "leaked e-mails taken out of context." If it had done that, the story would have had a much different tone.

The bigger question on this point is why, and how, the e-mails were accidentally or purposefully leaked in the first place.

Here's how our Kelly Jackson Higgins summed up the breach from FoxNews.com's report:

According to the FoxNews.com report, World Bank employees have been ordered to change their passwords three times in the past three months in the wake of the attacks, which spanned somewhere between 18 and 40 of its servers in multiple hacks, which began last year. The published report says there were six major break-ins in the past year, and that at least five servers containing sensitive data were exposed. FoxNews apparently obtained an internal e-mail message and memos from the World Bank in response to the attacks that illustrate the complicated series of events and the agency's response to them.

The revelation of breaches at the World Bank could not come at a worse time given the global financial crisis, but security experts say the hacks were coincidental and unlikely to be tied to the economic developments. The World Bank provides financial and technical assistance to developing countries, and includes 185 member nations on its board.

The World Bank also didn't respond to Dark Reading's request for interview.

While the nature of this alleged breach is foggy, the public allegations to date include the charge that attackers had access to a wide swath of the World Bank's network for nearly a month; a July attack may have began from a compromised SYSTEM ADMINISTRATOR account; and that several Web servers were involved in the attack.

We'll have no idea how this potential attack occurred, and to what depths it reached, unless the World Bank comes out publicly and explains it, or the issue ends up in court. If the allegations that a sys admin's account was compromised and that the attackers had access to network traffic for nearly a month are accurate, the only safe assumption is that any systems that touch these areas of the network are at significant risk of having been breached.

It's also quite possible that if the Web servers were vulnerable, that this situation consists of multiple attackers infiltrating vulnerabilities they each discovered independently.

The only takeaway we have so far is, whether or not you believe that your organization will be attacked and that the press will learn of the attack, you'd better have a plan devised in how you're going to respond. The worst could happen -- and you don't want to be making decisions at that time in a state of panic.

That plan had better be devised by your risk and security managers, business leaders, legal teams, as well as communications staff. How you respond when the events (or various interpretations of them) go public will set the tone of the news story for a long time.

The people who will be reading those reports are your current customers, suppliers, employees, and business prospects. They all deserve to know and have confidence that no matter what happened, the situation is now under control.

As of the time I published this blog post, I was unable to locate any public statement from the World Bank on its Web site regarding these suspected incidents.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
According to industry estimates, about a million new IT security jobs will be created in the next two years but there aren't enough skilled professionals to fill them. On top of that, there isn't necessarily a clear path to a career in security. Dark Reading Executive Editor Kelly Jackson Higgins hosts guests Carson Sweet, co-founder and CTO of CloudPassage, which published a shocking study of the security gap in top US undergrad computer science programs, and Rodney Petersen, head of NIST's new National Initiative for Cybersecurity Education.