Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


What Do IMF, Citigroup, And Sony Hacks Share?

Many organizations have been focusing on complying with regulations, rather than taking a top-down look at what most needs to be secured, security experts say.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
To the non-stop list of organizations suffering hacking attacks, now add the International Monetary Fund (IMF). Over the weekend, the organization confirmed to multiple news outlets that its systems had been breached in recent months by a sophisticated attack.

"This was a very major breach," an unnamed official told the New York Times, indicating that the attack had occurred or at least begun several months ago. Accordingly, the attack would have predated the arrest of Dominique Strauss-Kahn, who resigned as managing director of the IMF last month after being arrested in New York and charged with sexual assault.

Meanwhile, an unnamed source told Bloomberg that the attack was state-backed, though declined to name a suspected government. That could be an attempt to avoid riling a country that's also one of the IMF's 187 member countries.

Additional details about the IMF attack remain scarce, however, and a spokesperson for the IMF was not available for immediate comment.

Why target the IMF? "These attacks are particularly dangerous because now the hackers have potentially obtained sensitive information on developing nations and their fiscal conditions," said information security expert John D'Arcy, assistant professor of IT management at the University of Notre Dame, in an email. "The value of such information is arguably higher than, say, someone's credit card number or social security number."

The IMF hack follows recent attacks against numerous organizations, including Citigroup and Sony. Earlier this year, attackers also broke into the systems of EMC's RSA security division, stealing data related to its two-factor SecurID authentication system. That led to worries that the attackers might be able to compromise any organization that uses SecurID, and RSA confirmed that attackers had attempted to do just that in a failed attack against Lockheed Martin in May.

Interestingly, according to new reports, the IMF uses RSA SecurID tokens. But there's no indication that attackers exploited the devices.

Instead, most security experts suspect spear-phishing to be the cause. This technique, which uses personalized but fake emails to entice recipients into installing malware or visiting malicious websites, has lately been on the rise.

Earlier this month, for example, Google warned Gmail users about a spear-phishing attack that was targeting high-ranking politicians, among others, and alleged that the attacks had originated in Jinan, China. According to news reports, the city's Lanxiang vocational school may train computer engineers for the People's Liberation Army. Both the Chinese government and the school have denied any involvement in the Google attacks.

With hacking attacks on the rise, what's interesting is that more businesses do seem to be aware of when they've been attacked, and also ready to confirm it. "What's encouraging is to see organizations such as the IMF making public announcements about successful attacks on them, when we know that many more such incidents go unreported--and an even larger number go undetected," said Henry Harrison, technical director at Detica, a business and technology consulting firm owned by BAE Systems, in an email.

But why are so many organizations now not only suffering hacking attacks, but also seeing their systems get breached? "The question with all of these breaches, such as the Sony breach--which encrypted the credit card data, but nothing else--with the IMF, Epsilon, ... goes to, why weren't solid data security practices being implemented at these organizations?" said Gretchen Hellman, VP of product management for data security vendor Vormetric, in a phone interview.

The answer, she said, is that many organizations have been focusing on complying with regulations, rather than taking a top-down look at what most needs to be secured. Indeed, most of the information stolen in recent attacks hasn't been regulated, and likewise wasn't encrypted. "Security has been driven by compliance for the past seven years, starting with Sarbanes-Oxley and going to PCI," she said. "So there's been a focus on complying with regulations, and not focusing on a strong, holistic, layered security program--everything from end user awareness training to encrypting and controlling access to data with a strong separation of duties program, to monitoring activity to ensure that you can capture malicious activity as soon as it starts."

Security concerns give many companies pause as they consider migrating portions of their IT operations to cloud-based services. But you can stay safe in the cloud, as this Tech Center report explains. Download it now. (Free registration required.)


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-06
The parse_report() function in whoopsie.c in Whoopsie through 0.2.69 mishandles memory allocation failures, which allows an attacker to cause a denial of service via a malformed crash file.
PUBLISHED: 2020-07-06
PlayerGeneric.cpp in MilkyTracker through 1.02.00 has a use-after-free in the PlayerGeneric destructor.
PUBLISHED: 2020-07-06
It's possible to inject JavaScript code via the html method.
PUBLISHED: 2020-07-06
It's possible to use <<script>script> in order to go over the filtering regex.
PUBLISHED: 2020-07-06
An issue was discovered in Roundcube Webmail before 1.2.11, 1.3.x before 1.3.14, and 1.4.x before 1.4.7. It allows XSS via a crafted HTML e-mail message, as demonstrated by a JavaScript payload in the xmlns (aka XML namespace) attribute of a HEAD element when an SVG element exists.