Stealthy and sophisticated hackers spent four months infiltrating computer networks at The New York Times, ripping off passwords of reporters in an attempt to uncover information related to a story the newspaper wrote in October about the fortune amassed by relatives of China’s prime minister, the publication disclosed in an article Wednesday.
The culprits are believed to be from China, and they used a number of techniques to hide their tracks and access computers of Times employees. This included routing their IP addresses through compromised systems at colleges across the country, spear phishing targets to install remote access trojans, creating backdoors and compromising domain controllers to crack the password for every Times employee. It’s unclear if the intruders relied on any zero-day vulnerabilities to gain initial access or pivot across the network.
However, the Times said there is no evidence any emails or files from its reporters were accessed, and no customer information was affected. Still, the attack had even hardened observers of the security industry buzzing.
“The most important thing to realize is that this was a targeted attack, not a random attack, not an opportunistic attack,” Seven Bellovin, chief technologist at the Federal Trade Commission, who is on leave from Columbia University in New York where he is a computer science professor, told SCMagazine.com.
Mandiant, the forensic and incident response company hired by the paper on Nov. 7 to investigate, watch the hackers’ movements and help remediate the threat, determined that the spies first hijacked computers on Sept. 13, around the time when David Barboza, The Times‘ Shanghai bureau chief, was completing his reporting for a story on the relatives of Wen Jiabo, the prime minister of China, who all stockpiled massive wealth through questionable business dealings.
It is now believed that the cyber adversaries were based in China, possibly part of the military. Sometime in October, The Times “learned of warnings from Chinese government officials that its investigation into the wealth of Mr. Wen’s relatives would ‘have consequences.'” It asked its network provider, AT&T, to look into the matter. On Oct. 25, the day Barboza’s article was published, AT&T told the paper that it had found activity consistent with Chinese military actions. That’s when Mandiant was brought on.
China’s government has denied any involvement.
Determining attribution of cyber attacks is tricky, considering all of the ways miscreants can hide their tracks. But Mandiant seems confident the country is to blame.
“Mandiant has been tracking about 20 groups that are spying on organizations inside the United States and around the globe,” the story said. “Its investigators said that based on the evidence – the malware used, the command-and-control centers compromised and the hackers’ techniques – The Times was attacked by a group of Chinese hackers that Mandiant refers to internally as ‘A.P.T. Number 12.'”
“Traditional AV is failing according to everyone’s understanding up to, and including, Symantec.”
– Seven Bellovin, chief technologist, Federal Trade Commission
Bellovin said investigators need to “take what you can get in attribution.” Still, he pointed out that the case naming China as the source is circumstantial.
“I think the issue is there’s no smoking gun,” he said. “You’ve never had a commando go into China and seize the computers and show the source code on them.”
This is not the first time journalists based in China have been targeted by spies. And the attack against the Times also serves as further indication that traditional mainstays, such as anti-virus protection, are not suitable to deter today’s most advanced, home-grown malware. The newspaper said its AV provider, Symantec, identified the attacker’s software as malicious just one time.
Big Yellow responded with a statement: “Turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats,” the company said. “We encourage customers to be very aggressive in deploying solutions that offer a combined approach to security. Anti-virus software alone is not enough.”
Interestingly, The Times ran a report Jan. 1, headlined “Outmaneuvered at Their Own Game, Antivirus Makers Struggle to Adapt,” which quoted Symantec.
Security experts weren’t surprised The Times was breached, considering there have been a number of high-profile companies that have succumbed to sophisticated espionage threats, including Google and security firm RSA. There’s a widely held belief in the security industry that organizations should assume all of their endpoints already have been compromised.
But Roel Schouwenberg, a senior anti-virus researcher at Kaspersky Lab, which has discovered such potent malware as Flame and operations like “Red October,” said in a tweet that while the disclosure details were appreciated, more specifics are needed.
“[T]he security industry needs tech details to make sure other targets are better protected,” he said.
And the hack reopened debate over the effectiveness of anti-virus, with some big-name security vendors running to defend their solutions, while also admitting the problem is complex.
“Advanced persistent attacks are very difficult to block, and so far nobody has a complete answer to them, and never will as attackers will adapt to whatever defenses you have,” blogged Jarno Nimela, senor security researcher at F-Secure, on Thursday. “AV is one important layer against advanced attacks, but is not alone enough. But then again, without AV you would have to worry about advanced attacks and all the rest that you currently are being protected from. So how does it help to advocate to not to use AV and increase your attack surface even further?”
Bellovin said installing advanced anti-virus capabilities, such as anomaly detection, is sometimes easier said than done. He cited cost, performance issues and false positives as reasons some organizations may decide against it. But, change is needed.
“Traditional AV is failing according to everyone’s understanding up to, and including, Symantec,” he said. “The question is, now what?”