Attacks/Breaches
2/1/2013
11:17 AM
Tim Wilson
Tim Wilson
Quick Hits
Connect Directly
RSS
E-Mail
50%
50%

Following New York Times Breach, Wall Street Journal Says China Hacked It, Too

FBI says it has been investigating cyberattacks on U.S.-based media outlets for a year

The sophisticated cyberattack launched on The New York Times revealed earlier this week was not the first attack on U.S. media by Chinese entities, officials say.

The New York Times reported an attack targeted at two of its China-based journalists late Wednesday night. According to news reports on the Times attack, entities from China used a combination of spear-phishing and 45 pieces of custom malware to try to obtain the sources of reporters who wrote about the family of Chinese prime minister Wen Jiabao.

The attack, and its subsequent analysis by security firm Mandiant, drew attention from security analysts for its unique level of sophistication. But yesterday officials at The Wall Street Journal said their news bureau in China has also come under fire.

In an article posted Thursday, The Wall Street Journal stated that its system had been "infiltrated by Chinese hackers, apparently to spy on reporters covering Chinea and other issues." Sources at Dow Jones & Co. said the news organization has also been the target of attacks from China.

The U.S. Federal Bureau of Investigation has been probing media-hacking incidents for more than a year and considers the hacking a national-security matter, officials said.

The sophisticated attack on the Times has been cited by some security experts as an indictment of antivirus technology. According to the Mandiant study, the Symantec AV technology used by the Times blocked only one of the 45 pieces of malware used in the exploit.

"Signature-based technologies, such as AV and IPS -- still the cornerstones of many enterprise security strategies -- are actually getting worse at preventing malware infections," says John Prisco, CEO of anti-malware service provider Triumfant.

But Prisco and others note that the shortcomings of AV technology have been known for years. Symantec, itself, issued a statement that indicates that turning on an AV product, by itself, will not completely prevent malware infection.

"Advanced attacks like the ones the New York Times described ... underscore how important it is for companies, countries and consumers to make sure they are using the full capability of security solutions," Symantec said in a public statement. "The advanced capabilities in our endpoint offerings, including our unique reputation-based technology and behavior-based blocking, specifically target sophisticated attacks.

"Turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats," the statement says. "We encourage customers to be very aggressive in deploying solutions that offer a combined approach to security. Anti-virus software alone is not enough."

But Rohyt Belani, CEO of security service provider PhishMe and a former Mandiant employee, says all of the attention given to the Times' antivirus solution belies the more serious problem of how to prevent targeted attacks.

Large enterprises like the Times usually have an array of security tools, including email filtering, intrusion prevention, data leak prevention, and more, Belani notes, yet the Chinese attacks circumvented all of them -- as well as the AV applications -- and continued for a period of four months.

"A determined attacker, in a sophisticated attack like this, is going to get through," Belani says. "Companies need to understand that they not only need to develop good technical defenses, but they need to educate their people. If one employee had spotted something out of the ordinary and reported it, this attack might have been stopped a lot sooner."

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
kjhiggins
50%
50%
kjhiggins,
User Rank: Strategist
2/1/2013 | 9:57:11 PM
re: Following New York Times Breach, Wall Street Journal Says China Hacked It, Too
Hopefully, all of the affected the news organizations are sharing their attack intelligence, etc.

Kelly Jackson Higgins, Senior Editor
Dark Reading
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4262
Published: 2014-07-28
svnwcsub.py in Subversion 1.8.0 before 1.8.3, when using the --pidfile option and running in foreground mode, allows local users to gain privileges via a symlink attack on the pid file. NOTE: this issue was SPLIT due to different affected versions (ADT3). The irkerbridge.py issue is covered by CVE-...

CVE-2013-4840
Published: 2014-07-28
Unspecified vulnerability in HP and H3C VPN Firewall Module products SECPATH1000FE before 5.20.R3177 and SECBLADEFW before 5.20.R3177 allows remote attackers to cause a denial of service via unknown vectors.

CVE-2013-7393
Published: 2014-07-28
The daemonize.py module in Subversion 1.8.0 before 1.8.2 allows local users to gain privileges via a symlink attack on the pid file created for (1) svnwcsub.py or (2) irkerbridge.py when the --pidfile option is used. NOTE: this issue was SPLIT from CVE-2013-4262 based on different affected versions...

CVE-2014-2974
Published: 2014-07-28
Cross-site request forgery (CSRF) vulnerability in php/user_account.php in Silver Peak VX through 6.2.4 allows remote attackers to hijack the authentication of administrators for requests that create administrative accounts.

CVE-2014-2975
Published: 2014-07-28
Cross-site scripting (XSS) vulnerability in php/user_account.php in Silver Peak VX before 6.2.4 allows remote attackers to inject arbitrary web script or HTML via the user_id parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.