How a hacker and an insider was caught at the World Bank

We continue surfing the web in search of cool information security stories. And today – an instructive story about how Amelie Koran (aka webjedi) almost with her bare hands caught a hacker who attacked the World Bank server, as well as an insider who tried to play on this story. Disarming them, she went to a much larger and more dangerous “game”. This story was shared with the public by an English-language podcast Darknetdiaries… Here is a retelling of the episode.

Screenshot from https://darknetdiaries.com/transcript/91/
Screenshot from https://darknetdiaries.com/transcript/91/

The story is about 2008 – by the standards of digitalization, the age is not stone, but still “paper”. So that you understand how long ago it was: in those days, the World Bank still used PalmPilots handhelds with might and main, including for sending e-mail. Therefore, some of the methods and programs mentioned in the investigation story may seem outdated.

A few words about the World Bank, where, as it turns out, there are incidents too

What kind of organization is this – the World Bank. The host of Darknetdiares specifically explained to his listeners who are well versed in malicious code, but not in the history of the formation of the global financial system.

The decision to create the World Bank, as well as the International Monetary Fund, was made at the Bretton Woods Conference held in the United States in 1944. The bank began active operations in 1945 and aimed at lending to countries that needed assistance in rebuilding the economy that had suffered from World War II. Thus, almost the entire recovered post-war world ended up in debt to the World Bank over time. Later, the credit institution added non-covered initially developing countries to the number of its debtor clients.

How the likes of Amelie become “Mr. Wolfe” who solves all problems

Photo - https://twitter.com/webjedi
Photo – https://twitter.com/webjedi

Before talking about the essence of the incident, a few words about the person who coped with it. Amelie Koran graduated from college in 1993, studied programming and sociology. She worked at Xerox as a user interface designer, system administrator, and was responsible for the security of the server infrastructure of the American Chemical Society. Truly large-scale tasks awaited Amelie at the company responsible for the supply of gas and electricity to a number of US states. She did not have time to get a job there, in the DFIR (Digital Forensics and Incident Response) service, when a hurricane hit and disabled part of the infrastructure. I had to change approaches to the design of disaster-resistant data centers on the fly and “in the wind”, and at the same time learn to work in an emergency mode. Amelie developed her experience at the cybersecurity company Mandiant and later at FireEye, one of the world’s leaders in the fight against zero-day threats.

Thus, accepting the invitation to work at the World Bank, Amelie imagined exactly how the work on information security in large organizations is being carried out. After working with the utilities, she learned two lessons. First, it makes no sense to create a completely safe environment, so you need to take care that your infrastructure is more secure than that of your neighbors. Second: accidents happen sooner or later, therefore, one should not be hysterical, fall into a stupor. We need to continue to work in the face of cataclysms.

In a new place at the World Bank, these skills came in handy almost immediately.

Incident

The World Bank’s file integrity monitoring system recorded changes on one of the servers, the HSM (Hardware Security Module), essentially a secret locker containing all the bank’s cryptographic material. The security service found out that system administrators were not involved in the events, they suspected someone from outsiders.

Amelie Koran was involved in the project as a contractor, she led the investigation. True, this happened two weeks after the server was hacked, when it was difficult to make out what the attacker had done on the network, and what were the consequences of the actions of the investigators.

Thrown into the embrasure, Amelie literally choked on the streams of information. It poured from all directions: from engineers, network administrators and other employees. And this, according to Amelie, was like trying to keep the sand flowing through your fingers. There was no way to track the real actions of the attacker and even just understand – right now he is still online or not.

The first thing they did was create a complete copy of the infected machine with all its contents, because an attacker can erase his traces or delete some data at any time.

But after studying the logs of logs and notifications of various IT systems, it turned out that the criminal had gained access and changed configurations not on one, but on thirty servers in the bank! All compromised devices began to be disassembled (in the software sense, not literally) into cogs, as in the case of the initially discovered hacked server, and their copies were made.

Amelie says that due to the abundance of leaked information, she felt like a person who is trying to get drunk from a fire hose. It was sewn up – a preliminary analysis of even one machine took hours, and dozens of servers were damaged.

The process went slowly, and the panic was growing like a snowball. Emergency meetings were held one after another, the management, according to the information security expert, was simply going crazy, ordinary employees were also tense to the extreme.

Screenshot from the cartoon "Puzzle", Walt Disney Pictures Pixar Animation Studios.  2015 g.
Screenshot from the cartoon “Puzzle”, Walt Disney Pictures Pixar Animation Studios. 2015 g.

Amelie Koran recalls how during another crazy conf-call, where CIO, CISO and other “bigwigs” took part, she, a modest hired contractor, even had to shout at them: “Calm down, everyone, damn you!” In the original, the phrase sounded rougher. She does not feel regret for this emotional outburst. On the contrary. One of the main tasks of a specialist in complex incidents, she believes, is to bring at least some semblance of order to a situation where people are already getting steam from their ears from stress. Neither high IQ nor deep knowledge of cyber investigations can replace a cold head.

Yesterday in the office, and tomorrow in the newspaper!

Ordinary bank employees were not aware of the details of the incident, but the press somehow found out about them. The Wall Street Journal and then Fox News reported, in particular, that the World Bank was experiencing an “unprecedented crisis”, citing a letter from the CTO. The fact that the situation went public added to the nervousness. But most importantly, the attacker, if he was not yet aware, found out that he was discovered.

Screenshot of Fox News article https://www.foxnews.com/story/world-bank-under-cyber-siege-in-unprecedented-crisis
Screenshot of Fox News article https://www.foxnews.com/story/world-bank-under-cyber-siege-in-unprecedented-crisis

Only an insider could have leaked the information. The technical details about the timing of the attack, the affected servers, which were also leaked to the press, were known to a very limited circle of people. Those who took part in the “military councils”.

Amelie began to compile a list of possible “moles”, first of all she began to look closely at IT specialists and tops. She studied quotes from articles and patiently looked for something similar in the correspondence of the main suspects (the expert does not give details, but apparently in 2008 she carried out such an analysis manually, she did not have any DLP systems as help). Gradually, both the members of the investigation group and top managers began to “look askance” at each other – as in the game Among us. The “military council” turned into a battle of views, when everyone tried to discern an internal enemy in one of their colleagues.

While laymen suspected everyone they met, Amelie narrowed her pool of possible insiders to five or six. She was inclined to believe that the insider is not present at closed meetings, but, perhaps, is involved in some more or less open part. To check the version, Amelie staged a provocation: she planted documents with false information in the conference room, attached several to the information stand.

Having established surveillance of the corridors and offices, looking at exactly who was sitting at the computer (it had to be done just like that, literally spying on the staff), the investigators discovered a possible insider. His connection with the media was fully confirmed a few days later, when an article came out with injected fake information.

Big fish

A fingerprint was made from the insider’s PC hard drive. Using EnCase (a forensic tool) and some other tools for this, the expert found that the employee sent emails to the media through Yahoo’s webmail, and not through corporate Lotus Notes.

In parallel, it turned out that the insider was associated with the former leadership of the World Bank, Paul Wolfowitz. It is worth telling about this person in a little more detail. Paul’s candidacy as the head of the World Bank was proposed not by anyone, but personally by US President George W. Bush. This caused confusion among financial journalists, since Paul’s previous position was Deputy Secretary of Defense. True, Paul was fired not because of a financial or military scandal, but because he arranged for his acquaintance in the bank.

Paul Wolfowitz did not forget the offense and seizing the moment decided to discredit the new leadership by sending incriminating information to the media. To collect it, he decided to recruit a specialist from the Internal Investigation Department. He was gay, but did not advertise this fact. More than a decade ago, this could be used as a lever of pressure. The recruited employee, in turn, made an IT specialist work for himself, who helped to collect the necessary information. And it was he, as we already know, who fell for Amelie’s bait.

Thus, one of the problems – leaking information into the media – was solved. Amelie, having untangled one tangle, was able to spend the night at home for the first time in many days, and not on the blanket under the table where she had been working all the last time. Sleeping under the table, she said, is a pleasure.

How and why did the criminals enter the bank?

The hacker who dug into the servers still hasn’t been found. But it became clear how exactly he got into the information system. It didn’t work out right away. The hacker managed to penetrate one computer, launched malicious code, but it was blocked by an antivirus. The attacker tried another vulnerability – it worked, the antivirus did not react. The attacker developed the attack and gained access to password hashes. With their help, he hacked the account of the system administrator.

Amelie decided to check how weak the sysadmin’s password is and how long it will take to crack. It turned out that it takes just a few minutes to find out the password of such a responsible bank employee, which Amelie told the management about. She also guessed that it was a systemic problem and asked the administrator to update the password and write it down on paper. After that, I launched a program to audit passwords and cracked a new one in a few minutes. Like the previous passwords, it was simple: it was the name of the manager’s daughter with the year of her birth.

The bank revised the password policy, finalized the access control policies, and a few months later invited specialists from Microsoft to conduct an independent audit of the situation with AD and passwords throughout the bank.

So who needed the World Bank hack?

This part of the story contains the least details, but here are the data from the investigation that Amelie Koran was able to reveal. It turned out that the hackers were actively looking for access to the databases used by the heads of the HR department. In other words, the attackers were interested in the names of specific bank employees. Mandiant specialists, connected to the study of the malicious code, used their new Mirror tool for analysis. Based on the collected information, the World Bank management was able to conclude that the attackers were most likely Chinese hackers.

At the end of the story about the investigation, Amelie shared her impression of the sensations of working on such a large project: “While you are struggling with technical problems, you have adrenaline, and endorphins, and a sense of your own worth. But when the political or economic background is revealed, you discover that you are part of a different, even more complex game. “

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *