Attacks/Breaches
1/31/2013
11:18 AM
Connect Directly
RSS
E-Mail
50%
50%

Did Chinese Hackers Hit NY Times?

Some evidence suggests Chinese involvement in recent attack on The New York Times. Meanwhile, Symantec goes into damage-control mode over failure to block hackers.

Attackers have been hacking into systems at The New York Times for the last four months, stealing the corporate passwords for every employee and compromising the home PCs of multiple reporters.

That news broke late Wednesday and was first reported by none other than the Times itself. Officials at the paper said that they had recently mitigated the attack, removed several backdoors installed by attackers on corporate system and reset all users' passwords.

The attacks apparently began after the paper published a story titled "Billions in Hidden Riches For Family of Chinese Leader" on October 25, 2012, which profiled the surprising wealth of the family of Chinese prime minster Wen Jiabao. Strangely, however, the attackers don't appear to have stolen any related information. "Computer security experts found no evidence that sensitive e-mails or files from the reporting of our articles about the Wen family were accessed, downloaded or copied," said Jill Abramson, executive editor of the Times, in its story.

"These attackers were not interested in making money. They wanted to spy on the Times," said Mikko Hypponen, chief research officer at F-Secure, in a blog post.

[ What is cyberwarfare, and how should it affect U.S and international security practices? Read Uncertain State Of Cyber War. ]

According to investigators at Mandiant -- the security firm hired by the Times on Nov. 7 to investigate the ongoing attacks -- the sophisticated, advanced persistent threat (APT) attacks were launched by China.

"If you look at each attack in isolation, you can't say, 'This is the Chinese military,'" said Richard Bejtlich, Mandiant's chief security officer. But based on the attackers' malicious code, hacking techniques and command-and-control networks, Mandiant said it had tied the attacks to a group operating from China that it's dubbed "A.P.T. Number 12."

According to Mandiant, a digital forensic analysis of systems at the Times found that this attack commenced on Sept. 13, and that attackers stole hashes of all corporate passwords, which they successfully cracked. Mandiant suspects -- but evidently doesn't have hard evidence to prove -- that the hack was kicked off by a spear-phishing attack. It also said that attackers routed their exploits through compromised university systems in Arizona, New Mexico, North Carolina and Wisconsin, as well as smaller U.S. companies and service providers, which it said matches previously seen Chinese attack patterns.

"When you see the same group steal data on Chinese dissidents and Tibetan activists, then attack an aerospace company, it starts to push you in the right direction," Bejtlich said.

But does the evidence shared to date support the assertion that Chinese attackers -- or the Chinese government -- were actually involved? The Chinese government, for its part, quickly dismissed any suggestion that it had commissioned the Times hack. "Chinese laws prohibit any action including hacking that damages Internet security," read a statement released by China's Ministry of National Defense. "To accuse the Chinese military of launching cyber attacks without solid proof is unprofessional and baseless."

But some security experts think the available facts don't clearly demonstrate Chinese involvement. "The list of potential culprits who could have breached the Times network for information on Asia is far longer than just China," said cyber warfare specialist Jeffrey Carr, who's the CEO of Taia Global, in a blog post. He also noted that tying the attacks to the Oct. 25 story appeared to be an assumption on the part of officials at the Times, since the related attacks began over a month earlier. So while that intrusion could have sparked by reporters conducting research for their Wen Jiabao story, it might also have been unrelated.

Carr also criticized Mandiant's reporting that the attackers appeared to keep Beijing work hours. But he said that workday would also apply to "Bangkok, Singapore, Taiwan, Tibet, Seoul and even Tallinn--all of whom have active hacker populations." In addition, if the attack was launched by the Chinese government, it would have used its Ministry of State Security, which is the Chinese version of the CIA, and that agency likely wouldn't have left recoverable tracks. Finally, one of the remote access Trojan (RAT) attack tools used has been seen in previous attacks launched by Chinese organizations, but the tool has also been used by others and is free to download.

Based on those facts, Carr said, "This article appears to be nothing more than an acknowledgment by the New York Times that they found hackers in their network (that's not really news); that China was to blame (that's Mandiant's go-to culprit), and that no customer data was lost (i.e., the Times isn't liable for a lawsuit)," he said.

Regardless of whether or not there was Chinese involvement in the attacks, how did the attackers manage to compromise systems at the Times for several months before being detected? On this front, the Times names Symantec, saying that although all employees used the firm's antivirus product, it had detected and quarantined only one of the 45 malicious files used by attackers over a three-month period. The rest successfully infected the targeted PCs.

That revelation is an embarrassment for Symantec, and officials at the company moved quickly to try and control any PR fallout, issuing a statement on Thursday saying that "anti-virus software alone is not enough."

"Advanced attacks like the ones the New York Times described ... underscore how important it is for companies, countries and consumers to make sure they are using the full capability of security solutions," read the Symantec statement. "The advanced capabilities in our endpoint offerings, including our unique reputation-based technology and behavior-based blocking, specifically target sophisticated attacks. Turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats."

Is the attackers' ability to bypass a widely used commercial antivirus product evidence of their sophistication, or possible nation-state backing? Not at all. For starters, determining which antivirus software the Times reporters were using would have been simple: "Maybe the APT operators just checked the customer lists from each of the AVs to see which one had the NYT?" tweeted the vulnerability broker known as The Grugq.

Once attackers identified the antivirus software in place, they could have easily repacked exploits -- generated using relatively inexpensive and easily obtained crimeware toolkits -- and tested them in advance using a free service such as VirusTotal to see if the Symantec antivirus software signatures recognized the exploit. If no match was found, attackers would know that if they could hit a Symantec-using PC at the Times with the malware, the infection would likely be successful.

Can the types of attacks that infected systems at the Timesbe stopped? Some will be blocked, but even with top-notch security defenses, some will still get through.

Hackers Unmasked: Detecting, Analyzing And Taking Action Against Current Threats In this all-day InformationWeek and Dark Reading Virtual Event, experts and vendors will offer a detailed look at how enterprises can detect the latest malware, analyze the most current cyber attacks, and even identify and take action against the attackers. Attendees of the Hackers Unmasked event will also get a look at how cybercriminals operate, how they are motivated -- and what your business can do to stop them. It happens Feb. 7. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
1/31/2013 | 10:29:43 PM
re: Did Chinese Hackers Hit NY Times?
The NY Times' reporting on the incident seems to portray the company as a helpless victim: targeted by the hacker hoardes of a superpower, and failed by a giant security company. I don't quite buy that slant. I'm not trying to apologize for Symantec in any way, but anyone with an ounce of security knowledge understands the extensive limitations of signature-based anti-malware software.

Drew Conry-Murray
Editor, Network Computing
Verdumont Monte
50%
50%
Verdumont Monte,
User Rank: Apprentice
1/31/2013 | 9:50:47 PM
re: Did Chinese Hackers Hit NY Times?
No, Most likely it would've been because of a user error. Read the news from other sources as well. Even though they don't have enough evidence, It was believed most likely to be done using spear phising.
Leo Regulus
50%
50%
Leo Regulus,
User Rank: Apprentice
1/31/2013 | 9:44:05 PM
re: Did Chinese Hackers Hit NY Times?
(This is just to good to pass up) 'Only if they were looking for American Take Out'.
F'Boy
50%
50%
F'Boy,
User Rank: Apprentice
1/31/2013 | 5:49:02 PM
re: Did Chinese Hackers Hit NY Times?
If their ridiculously easy to circumvent subscription firewall is an indication, it can't have taken the Chinese more than 5 seconds to break in.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4262
Published: 2014-07-28
svnwcsub.py in Subversion 1.8.0 before 1.8.3, when using the --pidfile option and running in foreground mode, allows local users to gain privileges via a symlink attack on the pid file. NOTE: this issue was SPLIT due to different affected versions (ADT3). The irkerbridge.py issue is covered by CVE-...

CVE-2013-4840
Published: 2014-07-28
Unspecified vulnerability in HP and H3C VPN Firewall Module products SECPATH1000FE before 5.20.R3177 and SECBLADEFW before 5.20.R3177 allows remote attackers to cause a denial of service via unknown vectors.

CVE-2013-7393
Published: 2014-07-28
The daemonize.py module in Subversion 1.8.0 before 1.8.2 allows local users to gain privileges via a symlink attack on the pid file created for (1) svnwcsub.py or (2) irkerbridge.py when the --pidfile option is used. NOTE: this issue was SPLIT from CVE-2013-4262 based on different affected versions...

CVE-2014-2974
Published: 2014-07-28
Cross-site request forgery (CSRF) vulnerability in php/user_account.php in Silver Peak VX through 6.2.4 allows remote attackers to hijack the authentication of administrators for requests that create administrative accounts.

CVE-2014-2975
Published: 2014-07-28
Cross-site scripting (XSS) vulnerability in php/user_account.php in Silver Peak VX before 6.2.4 allows remote attackers to inject arbitrary web script or HTML via the user_id parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.