Attacks/Breaches
2/1/2013
11:17 AM
Tim Wilson
Tim Wilson
Quick Hits
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Following New York Times Breach, Wall Street Journal Says China Hacked It, Too

FBI says it has been investigating cyberattacks on U.S.-based media outlets for a year

The sophisticated cyberattack launched on The New York Times revealed earlier this week was not the first attack on U.S. media by Chinese entities, officials say.

The New York Times reported an attack targeted at two of its China-based journalists late Wednesday night. According to news reports on the Times attack, entities from China used a combination of spear-phishing and 45 pieces of custom malware to try to obtain the sources of reporters who wrote about the family of Chinese prime minister Wen Jiabao.

The attack, and its subsequent analysis by security firm Mandiant, drew attention from security analysts for its unique level of sophistication. But yesterday officials at The Wall Street Journal said their news bureau in China has also come under fire.

In an article posted Thursday, The Wall Street Journal stated that its system had been "infiltrated by Chinese hackers, apparently to spy on reporters covering Chinea and other issues." Sources at Dow Jones & Co. said the news organization has also been the target of attacks from China.

The U.S. Federal Bureau of Investigation has been probing media-hacking incidents for more than a year and considers the hacking a national-security matter, officials said.

The sophisticated attack on the Times has been cited by some security experts as an indictment of antivirus technology. According to the Mandiant study, the Symantec AV technology used by the Times blocked only one of the 45 pieces of malware used in the exploit.

"Signature-based technologies, such as AV and IPS -- still the cornerstones of many enterprise security strategies -- are actually getting worse at preventing malware infections," says John Prisco, CEO of anti-malware service provider Triumfant.

But Prisco and others note that the shortcomings of AV technology have been known for years. Symantec, itself, issued a statement that indicates that turning on an AV product, by itself, will not completely prevent malware infection.

"Advanced attacks like the ones the New York Times described ... underscore how important it is for companies, countries and consumers to make sure they are using the full capability of security solutions," Symantec said in a public statement. "The advanced capabilities in our endpoint offerings, including our unique reputation-based technology and behavior-based blocking, specifically target sophisticated attacks.

"Turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats," the statement says. "We encourage customers to be very aggressive in deploying solutions that offer a combined approach to security. Anti-virus software alone is not enough."

But Rohyt Belani, CEO of security service provider PhishMe and a former Mandiant employee, says all of the attention given to the Times' antivirus solution belies the more serious problem of how to prevent targeted attacks.

Large enterprises like the Times usually have an array of security tools, including email filtering, intrusion prevention, data leak prevention, and more, Belani notes, yet the Chinese attacks circumvented all of them -- as well as the AV applications -- and continued for a period of four months.

"A determined attacker, in a sophisticated attack like this, is going to get through," Belani says. "Companies need to understand that they not only need to develop good technical defenses, but they need to educate their people. If one employee had spotted something out of the ordinary and reported it, this attack might have been stopped a lot sooner."

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
kjhiggins
50%
50%
kjhiggins,
User Rank: Strategist
2/1/2013 | 9:57:11 PM
re: Following New York Times Breach, Wall Street Journal Says China Hacked It, Too
Hopefully, all of the affected the news organizations are sharing their attack intelligence, etc.

Kelly Jackson Higgins, Senior Editor
Dark Reading
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

CVE-2014-2392
Published: 2014-04-24
The E-Mail autoconfiguration feature in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 places a password in a GET request, which allows remote attackers to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer log...

Best of the Web