Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Did Chinese Hackers Hit NY Times?

Some evidence suggests Chinese involvement in recent attack on The New York Times. Meanwhile, Symantec goes into damage-control mode over failure to block hackers.

Attackers have been hacking into systems at The New York Times for the last four months, stealing the corporate passwords for every employee and compromising the home PCs of multiple reporters.

That news broke late Wednesday and was first reported by none other than the Times itself. Officials at the paper said that they had recently mitigated the attack, removed several backdoors installed by attackers on corporate system and reset all users' passwords.

The attacks apparently began after the paper published a story titled "Billions in Hidden Riches For Family of Chinese Leader" on October 25, 2012, which profiled the surprising wealth of the family of Chinese prime minster Wen Jiabao. Strangely, however, the attackers don't appear to have stolen any related information. "Computer security experts found no evidence that sensitive e-mails or files from the reporting of our articles about the Wen family were accessed, downloaded or copied," said Jill Abramson, executive editor of the Times, in its story.

"These attackers were not interested in making money. They wanted to spy on the Times," said Mikko Hypponen, chief research officer at F-Secure, in a blog post.

[ What is cyberwarfare, and how should it affect U.S and international security practices? Read Uncertain State Of Cyber War. ]

According to investigators at Mandiant -- the security firm hired by the Times on Nov. 7 to investigate the ongoing attacks -- the sophisticated, advanced persistent threat (APT) attacks were launched by China.

"If you look at each attack in isolation, you can't say, 'This is the Chinese military,'" said Richard Bejtlich, Mandiant's chief security officer. But based on the attackers' malicious code, hacking techniques and command-and-control networks, Mandiant said it had tied the attacks to a group operating from China that it's dubbed "A.P.T. Number 12."

According to Mandiant, a digital forensic analysis of systems at the Times found that this attack commenced on Sept. 13, and that attackers stole hashes of all corporate passwords, which they successfully cracked. Mandiant suspects -- but evidently doesn't have hard evidence to prove -- that the hack was kicked off by a spear-phishing attack. It also said that attackers routed their exploits through compromised university systems in Arizona, New Mexico, North Carolina and Wisconsin, as well as smaller U.S. companies and service providers, which it said matches previously seen Chinese attack patterns.

"When you see the same group steal data on Chinese dissidents and Tibetan activists, then attack an aerospace company, it starts to push you in the right direction," Bejtlich said.

But does the evidence shared to date support the assertion that Chinese attackers -- or the Chinese government -- were actually involved? The Chinese government, for its part, quickly dismissed any suggestion that it had commissioned the Times hack. "Chinese laws prohibit any action including hacking that damages Internet security," read a statement released by China's Ministry of National Defense. "To accuse the Chinese military of launching cyber attacks without solid proof is unprofessional and baseless."

But some security experts think the available facts don't clearly demonstrate Chinese involvement. "The list of potential culprits who could have breached the Times network for information on Asia is far longer than just China," said cyber warfare specialist Jeffrey Carr, who's the CEO of Taia Global, in a blog post. He also noted that tying the attacks to the Oct. 25 story appeared to be an assumption on the part of officials at the Times, since the related attacks began over a month earlier. So while that intrusion could have sparked by reporters conducting research for their Wen Jiabao story, it might also have been unrelated.

Carr also criticized Mandiant's reporting that the attackers appeared to keep Beijing work hours. But he said that workday would also apply to "Bangkok, Singapore, Taiwan, Tibet, Seoul and even Tallinn--all of whom have active hacker populations." In addition, if the attack was launched by the Chinese government, it would have used its Ministry of State Security, which is the Chinese version of the CIA, and that agency likely wouldn't have left recoverable tracks. Finally, one of the remote access Trojan (RAT) attack tools used has been seen in previous attacks launched by Chinese organizations, but the tool has also been used by others and is free to download.

Based on those facts, Carr said, "This article appears to be nothing more than an acknowledgment by the New York Times that they found hackers in their network (that's not really news); that China was to blame (that's Mandiant's go-to culprit), and that no customer data was lost (i.e., the Times isn't liable for a lawsuit)," he said.

Regardless of whether or not there was Chinese involvement in the attacks, how did the attackers manage to compromise systems at the Times for several months before being detected? On this front, the Times names Symantec, saying that although all employees used the firm's antivirus product, it had detected and quarantined only one of the 45 malicious files used by attackers over a three-month period. The rest successfully infected the targeted PCs.

That revelation is an embarrassment for Symantec, and officials at the company moved quickly to try and control any PR fallout, issuing a statement on Thursday saying that "anti-virus software alone is not enough."

"Advanced attacks like the ones the New York Times described ... underscore how important it is for companies, countries and consumers to make sure they are using the full capability of security solutions," read the Symantec statement. "The advanced capabilities in our endpoint offerings, including our unique reputation-based technology and behavior-based blocking, specifically target sophisticated attacks. Turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats."

Is the attackers' ability to bypass a widely used commercial antivirus product evidence of their sophistication, or possible nation-state backing? Not at all. For starters, determining which antivirus software the Times reporters were using would have been simple: "Maybe the APT operators just checked the customer lists from each of the AVs to see which one had the NYT?" tweeted the vulnerability broker known as The Grugq.

Once attackers identified the antivirus software in place, they could have easily repacked exploits -- generated using relatively inexpensive and easily obtained crimeware toolkits -- and tested them in advance using a free service such as VirusTotal to see if the Symantec antivirus software signatures recognized the exploit. If no match was found, attackers would know that if they could hit a Symantec-using PC at the Times with the malware, the infection would likely be successful.

Can the types of attacks that infected systems at the Timesbe stopped? Some will be blocked, but even with top-notch security defenses, some will still get through.

Hackers Unmasked: Detecting, Analyzing And Taking Action Against Current Threats In this all-day InformationWeek and Dark Reading Virtual Event, experts and vendors will offer a detailed look at how enterprises can detect the latest malware, analyze the most current cyber attacks, and even identify and take action against the attackers. Attendees of the Hackers Unmasked event will also get a look at how cybercriminals operate, how they are motivated -- and what your business can do to stop them. It happens Feb. 7. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Drew Conry-Murray
Drew Conry-Murray,
User Rank: Ninja
1/31/2013 | 10:29:43 PM
re: Did Chinese Hackers Hit NY Times?
The NY Times' reporting on the incident seems to portray the company as a helpless victim: targeted by the hacker hoardes of a superpower, and failed by a giant security company. I don't quite buy that slant. I'm not trying to apologize for Symantec in any way, but anyone with an ounce of security knowledge understands the extensive limitations of signature-based anti-malware software.

Drew Conry-Murray
Editor, Network Computing
User Rank: Apprentice
1/31/2013 | 9:50:47 PM
re: Did Chinese Hackers Hit NY Times?
No, Most likely it would've been because of a user error. Read the news from other sources as well. Even though they don't have enough evidence, It was believed most likely to be done using spear phising.
Leo Regulus
Leo Regulus,
User Rank: Apprentice
1/31/2013 | 9:44:05 PM
re: Did Chinese Hackers Hit NY Times?
(This is just to good to pass up) 'Only if they were looking for American Take Out'.
User Rank: Apprentice
1/31/2013 | 5:49:02 PM
re: Did Chinese Hackers Hit NY Times?
If their ridiculously easy to circumvent subscription firewall is an indication, it can't have taken the Chinese more than 5 seconds to break in.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Chinese Attackers' Favorite Flaws Prove Global Threats, Research Shows
Kelly Sheridan, Staff Editor, Dark Reading,  10/27/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-28
An Insecure Direct Object Reference vulnerability in Citadel WebCit through 926 allows authenticated remote attackers to read someone else's emails via the msg_confirm_move template. NOTE: this was reported to the vendor in a publicly archived "Multiple Security Vulnerabilities in WebCit 926&qu...
PUBLISHED: 2020-10-28
Genexis Platinum-4410 P4410-V2-1.28 devices allow stored XSS in the WLAN SSID parameter. This could allow an attacker to perform malicious actions in which the XSS popup will affect all privileged users.
PUBLISHED: 2020-10-28
An issue was discovered in QSC Q-SYS Core Manager 8.2.1. By utilizing the TFTP service running on UDP port 69, a remote attacker can perform a directory traversal and obtain operating system files via a TFTP GET request, as demonstrated by reading /etc/passwd or /proc/version.
PUBLISHED: 2020-10-28
The God Kings application 0.60.1 for Android exposes a broadcast receiver to other apps called com.innogames.core.frontend.notifications.receivers.LocalNotificationBroadcastReceiver. The purpose of this broadcast receiver is to show an in-game push notification to the player. However, the applicatio...
PUBLISHED: 2020-10-28
A Weak Session Management vulnerability in Citadel WebCit through 926 allows unauthenticated remote attackers to hijack recently logged-in users' sessions. NOTE: this was reported to the vendor in a publicly archived "Multiple Security Vulnerabilities in WebCit 926" thread.