Attacks/Breaches
2/1/2013
11:17 AM
Tim Wilson
Tim Wilson
Quick Hits
50%
50%

Following New York Times Breach, Wall Street Journal Says China Hacked It, Too

FBI says it has been investigating cyberattacks on U.S.-based media outlets for a year

The sophisticated cyberattack launched on The New York Times revealed earlier this week was not the first attack on U.S. media by Chinese entities, officials say.

The New York Times reported an attack targeted at two of its China-based journalists late Wednesday night. According to news reports on the Times attack, entities from China used a combination of spear-phishing and 45 pieces of custom malware to try to obtain the sources of reporters who wrote about the family of Chinese prime minister Wen Jiabao.

The attack, and its subsequent analysis by security firm Mandiant, drew attention from security analysts for its unique level of sophistication. But yesterday officials at The Wall Street Journal said their news bureau in China has also come under fire.

In an article posted Thursday, The Wall Street Journal stated that its system had been "infiltrated by Chinese hackers, apparently to spy on reporters covering Chinea and other issues." Sources at Dow Jones & Co. said the news organization has also been the target of attacks from China.

The U.S. Federal Bureau of Investigation has been probing media-hacking incidents for more than a year and considers the hacking a national-security matter, officials said.

The sophisticated attack on the Times has been cited by some security experts as an indictment of antivirus technology. According to the Mandiant study, the Symantec AV technology used by the Times blocked only one of the 45 pieces of malware used in the exploit.

"Signature-based technologies, such as AV and IPS -- still the cornerstones of many enterprise security strategies -- are actually getting worse at preventing malware infections," says John Prisco, CEO of anti-malware service provider Triumfant.

But Prisco and others note that the shortcomings of AV technology have been known for years. Symantec, itself, issued a statement that indicates that turning on an AV product, by itself, will not completely prevent malware infection.

"Advanced attacks like the ones the New York Times described ... underscore how important it is for companies, countries and consumers to make sure they are using the full capability of security solutions," Symantec said in a public statement. "The advanced capabilities in our endpoint offerings, including our unique reputation-based technology and behavior-based blocking, specifically target sophisticated attacks.

"Turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats," the statement says. "We encourage customers to be very aggressive in deploying solutions that offer a combined approach to security. Anti-virus software alone is not enough."

But Rohyt Belani, CEO of security service provider PhishMe and a former Mandiant employee, says all of the attention given to the Times' antivirus solution belies the more serious problem of how to prevent targeted attacks.

Large enterprises like the Times usually have an array of security tools, including email filtering, intrusion prevention, data leak prevention, and more, Belani notes, yet the Chinese attacks circumvented all of them -- as well as the AV applications -- and continued for a period of four months.

"A determined attacker, in a sophisticated attack like this, is going to get through," Belani says. "Companies need to understand that they not only need to develop good technical defenses, but they need to educate their people. If one employee had spotted something out of the ordinary and reported it, this attack might have been stopped a lot sooner."

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
kjhiggins
50%
50%
kjhiggins,
User Rank: Strategist
2/1/2013 | 9:57:11 PM
re: Following New York Times Breach, Wall Street Journal Says China Hacked It, Too
Hopefully, all of the affected the news organizations are sharing their attack intelligence, etc.

Kelly Jackson Higgins, Senior Editor
Dark Reading
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.