The World Bank Group was first notified of the intrusions by the FBI in September 2007, when the bureau was investigating another cybercrime case involving transactions out of Johannesburg, South Africa. Fox News said it has an internal memo (PDF) describing the initial intrusion to World Bank Group employees.
The World Bank Group did not respond to a request for comment.
The World Bank Group, based in Washington, D.C., is not a traditional bank. It is made up of the International Bank for Reconstruction and Development and the International Development Association, and it provides a vital source of financial and technical assistance to developing countries around the world, according to its Web site. The World Bank board represents 185 member nations and currently budgets $25 billion annually in antipoverty campaigns.
Up to 40 servers have been penetrated in a series of attacks, according to Fox News, including one attack on a server that held contract-procurement data. Two of the attacks appear to come from the same block of IP addresses originating in China. But Graham Cluley, senior technology consultant at Sophos, told CNET News that doesn't mean the attackers are in China--only that they are using compromised machines located in that country.
"Ideally, if you're a large organization or financial organization, then you would have a team of penetration testers testing your system to the limit looking for those weaknesses, looking for those holes," Cluley said. "It's much better that you find them before a criminally minded hacker does."
Apparently, the World Bank Group does not conduct its own security-assessment testing, a requirement of financial institutions in the United States and other countries.
Fox News also published a more recent memo from August 19, 2008 (PDF) in which World Bank Group staff were told to change personal passwords and start using security "tokens" or cards to access the organization's applications remotely. These tokens, such as the two-factor tokens being used by VeriSign, are synced with an internal server and display password strings that are valid only for a minute or so.
Cluley questioned why these attacks aren't more of a priority with World Bank staff. "Every bank on High Street (in London) already has that requirement of its customers," he said. "Every firm with critical data should be giving its employees (password tokens) because otherwise compromise is just as simple as having a key-logging piece of spyware on the desktop."
It is unclear how the intrusions occurred, when they started, or whether they are even related.
Fox said that outside forensics teams have since been brought in to investigate. In an e-mail to CNET News, a representative for Mandiant, a U.S.-based digital forensics company, confirmed that the World Bank is a client but would not elaborate on the work done on its behalf.
"Regardless of the facts," Cluley said, "every organization needs to learn that this can happen to big organizations and small ones, and make sure they have proper security and encryption in place."