Late last week, Bloomberg ran a story announcing ‘China-Based Spies Said To Be Behind Hacking in Investigators' View’:
‘Investigators probing the recent ransacking of International Monetary Fund computers have concluded the attack was carried out by cyber spies connected to China, according to two people close to the investigation.’
The article went on to provide general details about why:Enjoying this article? Click here to subscribe for full access. Just $5 a month.
‘Evidence pointing to China includes an analysis of the attack methods, as well as the electronic trail left by hackers as they removed large quantities of documents from the IMF’s computers. The multistaged attack, which used US-based servers as part of their equipment, ended on May 31, people involved in the investigation said on the condition they not be identified because they aren’t authorized to speak about it.’
The report added that the analysis included ‘analysing the code left behind in networks and tracing patterns in multiple attacks that may use the same infrastructure.’ This sounded to me like the automated analysis performed by something like HB Gary’s ‘Digital DNA.’ The problem with that solution, and others like it, is that while it can analyse commonalities in the tools used, as well as the malware code, it can’t discern the nationality of the hackers responsible, and certainly not the nation state that may have engaged them.
A Remote Access Tool that was created by a Chinese-speaking person doesn’t mean that it was used by a Chinese hacker working on behalf of the State Council or a Chinese intelligence agency. Those tools are broadly available and used by black hats all over the world.
The more important thing that should have been being looked at, then, was motivation. Why should China be interested in hacking into an organization that it’s one of the most powerful members of?
Last October, for example, the IMF approved the G20 Agreement on Quotas and Governance, which amended the list of its top ten largest shareholders to be the ‘United States, Japan, the BRICs (Brazil, China, India and Russia), and the four largest European countries (France, Germany, Italy, and United Kingdom).’ Canada and Saudi Arabia lost their former top ten positions. In fact, according to this IMF fact sheet on quotas, China is now the third most powerful member in the IMF.
On top of all this, on July 12, former senior Chinese central banker Zhu Min was nominated to be a deputy managing director of the organisation, elevating China's stature and influence still further.
In fairness to the IMF, it did back away from the anonymous claims that were being reported in the media, with an IMF spokesman stating that: ‘We are not prepared to finger-point at this time. We also may never know who perpetrated this cyber-attack.’
In light of the information available, it seems a more sensible position.
This is an edited version of an entry that also appears on Carr's blog. Carr is also the author of 'Inside Cyber Warfare: Mapping the Cyber Underworld' (O'Reilly Media, 2009).