Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Did Chinese Hackers Hit NY Times?

Some evidence suggests Chinese involvement in recent attack on The New York Times. Meanwhile, Symantec goes into damage-control mode over failure to block hackers.

Attackers have been hacking into systems at The New York Times for the last four months, stealing the corporate passwords for every employee and compromising the home PCs of multiple reporters.

That news broke late Wednesday and was first reported by none other than the Times itself. Officials at the paper said that they had recently mitigated the attack, removed several backdoors installed by attackers on corporate system and reset all users' passwords.

The attacks apparently began after the paper published a story titled "Billions in Hidden Riches For Family of Chinese Leader" on October 25, 2012, which profiled the surprising wealth of the family of Chinese prime minster Wen Jiabao. Strangely, however, the attackers don't appear to have stolen any related information. "Computer security experts found no evidence that sensitive e-mails or files from the reporting of our articles about the Wen family were accessed, downloaded or copied," said Jill Abramson, executive editor of the Times, in its story.

"These attackers were not interested in making money. They wanted to spy on the Times," said Mikko Hypponen, chief research officer at F-Secure, in a blog post.

[ What is cyberwarfare, and how should it affect U.S and international security practices? Read Uncertain State Of Cyber War. ]

According to investigators at Mandiant -- the security firm hired by the Times on Nov. 7 to investigate the ongoing attacks -- the sophisticated, advanced persistent threat (APT) attacks were launched by China.

"If you look at each attack in isolation, you can't say, 'This is the Chinese military,'" said Richard Bejtlich, Mandiant's chief security officer. But based on the attackers' malicious code, hacking techniques and command-and-control networks, Mandiant said it had tied the attacks to a group operating from China that it's dubbed "A.P.T. Number 12."

According to Mandiant, a digital forensic analysis of systems at the Times found that this attack commenced on Sept. 13, and that attackers stole hashes of all corporate passwords, which they successfully cracked. Mandiant suspects -- but evidently doesn't have hard evidence to prove -- that the hack was kicked off by a spear-phishing attack. It also said that attackers routed their exploits through compromised university systems in Arizona, New Mexico, North Carolina and Wisconsin, as well as smaller U.S. companies and service providers, which it said matches previously seen Chinese attack patterns.

"When you see the same group steal data on Chinese dissidents and Tibetan activists, then attack an aerospace company, it starts to push you in the right direction," Bejtlich said.

But does the evidence shared to date support the assertion that Chinese attackers -- or the Chinese government -- were actually involved? The Chinese government, for its part, quickly dismissed any suggestion that it had commissioned the Times hack. "Chinese laws prohibit any action including hacking that damages Internet security," read a statement released by China's Ministry of National Defense. "To accuse the Chinese military of launching cyber attacks without solid proof is unprofessional and baseless."

But some security experts think the available facts don't clearly demonstrate Chinese involvement. "The list of potential culprits who could have breached the Times network for information on Asia is far longer than just China," said cyber warfare specialist Jeffrey Carr, who's the CEO of Taia Global, in a blog post. He also noted that tying the attacks to the Oct. 25 story appeared to be an assumption on the part of officials at the Times, since the related attacks began over a month earlier. So while that intrusion could have sparked by reporters conducting research for their Wen Jiabao story, it might also have been unrelated.

Carr also criticized Mandiant's reporting that the attackers appeared to keep Beijing work hours. But he said that workday would also apply to "Bangkok, Singapore, Taiwan, Tibet, Seoul and even Tallinn--all of whom have active hacker populations." In addition, if the attack was launched by the Chinese government, it would have used its Ministry of State Security, which is the Chinese version of the CIA, and that agency likely wouldn't have left recoverable tracks. Finally, one of the remote access Trojan (RAT) attack tools used has been seen in previous attacks launched by Chinese organizations, but the tool has also been used by others and is free to download.

Based on those facts, Carr said, "This article appears to be nothing more than an acknowledgment by the New York Times that they found hackers in their network (that's not really news); that China was to blame (that's Mandiant's go-to culprit), and that no customer data was lost (i.e., the Times isn't liable for a lawsuit)," he said.

Regardless of whether or not there was Chinese involvement in the attacks, how did the attackers manage to compromise systems at the Times for several months before being detected? On this front, the Times names Symantec, saying that although all employees used the firm's antivirus product, it had detected and quarantined only one of the 45 malicious files used by attackers over a three-month period. The rest successfully infected the targeted PCs.

That revelation is an embarrassment for Symantec, and officials at the company moved quickly to try and control any PR fallout, issuing a statement on Thursday saying that "anti-virus software alone is not enough."

"Advanced attacks like the ones the New York Times described ... underscore how important it is for companies, countries and consumers to make sure they are using the full capability of security solutions," read the Symantec statement. "The advanced capabilities in our endpoint offerings, including our unique reputation-based technology and behavior-based blocking, specifically target sophisticated attacks. Turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats."

Is the attackers' ability to bypass a widely used commercial antivirus product evidence of their sophistication, or possible nation-state backing? Not at all. For starters, determining which antivirus software the Times reporters were using would have been simple: "Maybe the APT operators just checked the customer lists from each of the AVs to see which one had the NYT?" tweeted the vulnerability broker known as The Grugq.

Once attackers identified the antivirus software in place, they could have easily repacked exploits -- generated using relatively inexpensive and easily obtained crimeware toolkits -- and tested them in advance using a free service such as VirusTotal to see if the Symantec antivirus software signatures recognized the exploit. If no match was found, attackers would know that if they could hit a Symantec-using PC at the Times with the malware, the infection would likely be successful.

Can the types of attacks that infected systems at the Timesbe stopped? Some will be blocked, but even with top-notch security defenses, some will still get through.

Hackers Unmasked: Detecting, Analyzing And Taking Action Against Current Threats In this all-day InformationWeek and Dark Reading Virtual Event, experts and vendors will offer a detailed look at how enterprises can detect the latest malware, analyze the most current cyber attacks, and even identify and take action against the attackers. Attendees of the Hackers Unmasked event will also get a look at how cybercriminals operate, how they are motivated -- and what your business can do to stop them. It happens Feb. 7. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Drew Conry-Murray
Drew Conry-Murray,
User Rank: Ninja
1/31/2013 | 10:29:43 PM
re: Did Chinese Hackers Hit NY Times?
The NY Times' reporting on the incident seems to portray the company as a helpless victim: targeted by the hacker hoardes of a superpower, and failed by a giant security company. I don't quite buy that slant. I'm not trying to apologize for Symantec in any way, but anyone with an ounce of security knowledge understands the extensive limitations of signature-based anti-malware software.

Drew Conry-Murray
Editor, Network Computing
User Rank: Apprentice
1/31/2013 | 9:50:47 PM
re: Did Chinese Hackers Hit NY Times?
No, Most likely it would've been because of a user error. Read the news from other sources as well. Even though they don't have enough evidence, It was believed most likely to be done using spear phising.
Leo Regulus
Leo Regulus,
User Rank: Apprentice
1/31/2013 | 9:44:05 PM
re: Did Chinese Hackers Hit NY Times?
(This is just to good to pass up) 'Only if they were looking for American Take Out'.
User Rank: Apprentice
1/31/2013 | 5:49:02 PM
re: Did Chinese Hackers Hit NY Times?
If their ridiculously easy to circumvent subscription firewall is an indication, it can't have taken the Chinese more than 5 seconds to break in.
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: We need more votes, check the obituaries.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-26
KLog Server through 2.4.1 allows authenticated command injection. async.php calls shell_exec() on the original value of the source parameter.
PUBLISHED: 2021-01-26
The ftpd gem 0.2.1 for Ruby allows remote attackers to execute arbitrary OS commands via shell metacharacters in a LIST or NLST command argument within FTP protocol traffic.
PUBLISHED: 2021-01-26
SmartAgent 3.1.0 allows a ViewOnly attacker to create a SuperUser account via the /#/CampaignManager/users URI.
PUBLISHED: 2021-01-26
NVIDIA Jetson AGX Xavier Series, Jetson Xavier NX, TX1, TX2, Nano and Nano 2GB, L4T versions prior to 32.5, contains a vulnerability in the apply_binaries.sh script used to install NVIDIA components into the root file system image, in which improper access control is applied, which may lead to an un...
PUBLISHED: 2021-01-26
NVIDIA Tegra kernel in Jetson AGX Xavier Series, Jetson Xavier NX, TX1, TX2, Nano and Nano 2GB, all L4T versions prior to r32.5, contains a vulnerability in the INA3221 driver in which improper access control may lead to unauthorized users gaining access to system power usage data, which may lead to...