Did Chinese Hackers Hit NY Times?

Attackers have been hacking into systems at The New York Times for the last four months, stealing the corporate passwords for every employee and compromising the home PCs of multiple reporters.

That news broke late Wednesday and was first reported by none other than the Times itself. Officials at the paper said that they had recently mitigated the attack, removed several backdoors installed by attackers on corporate system and reset all users' passwords.

The attacks apparently began after the paper published a story titled "Billions in Hidden Riches For Family of Chinese Leader" on October 25, 2012, which profiled the surprising wealth of the family of Chinese prime minster Wen Jiabao. Strangely, however, the attackers don't appear to have stolen any related information. "Computer security experts found no evidence that sensitive e-mails or files from the reporting of our articles about the Wen family were accessed, downloaded or copied," said Jill Abramson, executive editor of the Times, in its story.

"These attackers were not interested in making money. They wanted to spy on the Times," said Mikko Hypponen, chief research officer at F-Secure, in a blog post.

[ What is cyberwarfare, and how should it affect U.S and international security practices? Read Uncertain State Of Cyber War. ]

According to investigators at Mandiant -- the security firm hired by the Times on Nov. 7 to investigate the ongoing attacks -- the sophisticated, advanced persistent threat (APT) attacks were launched by China.

"If you look at each attack in isolation, you can't say, 'This is the Chinese military,'" said Richard Bejtlich, Mandiant's chief security officer. But based on the attackers' malicious code, hacking techniques and command-and-control networks, Mandiant said it had tied the attacks to a group operating from China that it's dubbed "A.P.T. Number 12."

According to Mandiant, a digital forensic analysis of systems at the Times found that this attack commenced on Sept. 13, and that attackers stole hashes of all corporate passwords, which they successfully cracked. Mandiant suspects -- but evidently doesn't have hard evidence to prove -- that the hack was kicked off by a spear-phishing attack. It also said that attackers routed their exploits through compromised university systems in Arizona, New Mexico, North Carolina and Wisconsin, as well as smaller U.S. companies and service providers, which it said matches previously seen Chinese attack patterns.

"When you see the same group steal data on Chinese dissidents and Tibetan activists, then attack an aerospace company, it starts to push you in the right direction," Bejtlich said.

But does the evidence shared to date support the assertion that Chinese attackers -- or the Chinese government -- were actually involved? The Chinese government, for its part, quickly dismissed any suggestion that it had commissioned the Times hack. "Chinese laws prohibit any action including hacking that damages Internet security," read a statement released by China's Ministry of National Defense. "To accuse the Chinese military of launching cyber attacks without solid proof is unprofessional and baseless."

But some security experts think the available facts don't clearly demonstrate Chinese involvement. "The list of potential culprits who could have breached the Times network for information on Asia is far longer than just China," said cyber warfare specialist Jeffrey Carr, who's the CEO of Taia Global, in a blog post. He also noted that tying the attacks to the Oct. 25 story appeared to be an assumption on the part of officials at the Times, since the related attacks began over a month earlier. So while that intrusion could have sparked by reporters conducting research for their Wen Jiabao story, it might also have been unrelated.

Carr also criticized Mandiant's reporting that the attackers appeared to keep Beijing work hours. But he said that workday would also apply to "Bangkok, Singapore, Taiwan, Tibet, Seoul and even Tallinn--all of whom have active hacker populations." In addition, if the attack was launched by the Chinese government, it would have used its Ministry of State Security, which is the Chinese version of the CIA, and that agency likely wouldn't have left recoverable tracks. Finally, one of the remote access Trojan (RAT) attack tools used has been seen in previous attacks launched by Chinese organizations, but the tool has also been used by others and is free to download.

Based on those facts, Carr said, "This article appears to be nothing more than an acknowledgment by the New York Times that they found hackers in their network (that's not really news); that China was to blame (that's Mandiant's go-to culprit), and that no customer data was lost (i.e., the Times isn't liable for a lawsuit)," he said.

Regardless of whether or not there was Chinese involvement in the attacks, how did the attackers manage to compromise systems at the Times for several months before being detected? On this front, the Times names Symantec, saying that although all employees used the firm's antivirus product, it had detected and quarantined only one of the 45 malicious files used by attackers over a three-month period. The rest successfully infected the targeted PCs.

That revelation is an embarrassment for Symantec, and officials at the company moved quickly to try and control any PR fallout, issuing a statement on Thursday saying that "anti-virus software alone is not enough."

"Advanced attacks like the ones the New York Times described ... underscore how important it is for companies, countries and consumers to make sure they are using the full capability of security solutions," read the Symantec statement. "The advanced capabilities in our endpoint offerings, including our unique reputation-based technology and behavior-based blocking, specifically target sophisticated attacks. Turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats."

Is the attackers' ability to bypass a widely used commercial antivirus product evidence of their sophistication, or possible nation-state backing? Not at all. For starters, determining which antivirus software the Times reporters were using would have been simple: "Maybe the APT operators just checked the customer lists from each of the AVs to see which one had the NYT?" tweeted the vulnerability broker known as The Grugq.

Once attackers identified the antivirus software in place, they could have easily repacked exploits -- generated using relatively inexpensive and easily obtained crimeware toolkits -- and tested them in advance using a free service such as VirusTotal to see if the Symantec antivirus software signatures recognized the exploit. If no match was found, attackers would know that if they could hit a Symantec-using PC at the Times with the malware, the infection would likely be successful.

Can the types of attacks that infected systems at the Timesbe stopped? Some will be blocked, but even with top-notch security defenses, some will still get through.

Hackers Unmasked: Detecting, Analyzing And Taking Action Against Current Threats In this all-day InformationWeek and Dark Reading Virtual Event, experts and vendors will offer a detailed look at how enterprises can detect the latest malware, analyze the most current cyber attacks, and even identify and take action against the attackers. Attendees of the Hackers Unmasked event will also get a look at how cybercriminals operate, how they are motivated -- and what your business can do to stop them. It happens Feb. 7. (Free registration required.)