Did Chinese Hackers Hit emNY Times/em?

  /     /     /  
Publicated : 22/11/2024   Category : security


Did Chinese Hackers Hit emNY Times/em?


Some evidence suggests Chinese involvement in recent attack on The New York Times. Meanwhile, Symantec goes into damage-control mode over failure to block hackers.



Attackers have been hacking into systems at
The New York Times
for the last four months, stealing the corporate passwords for every employee and compromising the home PCs of multiple reporters.
That news broke late Wednesday and was first
reported
by none other than the
Times
itself. Officials at the paper said that they had recently mitigated the attack, removed several backdoors installed by attackers on corporate system and
reset all users passwords
.
The attacks apparently began after the paper published a
story
titled Billions in Hidden Riches For Family of Chinese Leader on October 25, 2012, which profiled the surprising wealth of the family of Chinese prime minster Wen Jiabao. Strangely, however, the attackers dont appear to have stolen any related information. Computer security experts found no evidence that sensitive e-mails or files from the reporting of our articles about the Wen family were accessed, downloaded or copied, said Jill Abramson, executive editor of the
Times
, in its story.
These attackers were not interested in making money. They wanted to spy on the
Times
, said Mikko Hypponen, chief research officer at F-Secure, in a
blog post
.
[ What is cyberwarfare, and how should it affect U.S and international security practices? Read
Uncertain State Of Cyber War
. ]
According to investigators at
Mandiant
-- the security firm hired by the
Times
on Nov. 7 to investigate the ongoing attacks -- the sophisticated,
advanced persistent threat
(APT) attacks were launched by China.
If you look at each attack in isolation, you cant say, This is the Chinese military, said Richard Bejtlich, Mandiants chief security officer. But based on the attackers malicious code, hacking techniques and command-and-control networks, Mandiant said it had tied the attacks to a group operating from China that its dubbed A.P.T. Number 12.
According to Mandiant, a digital forensic analysis of systems at the
Times
found that this attack commenced on Sept. 13, and that attackers stole hashes of all corporate passwords, which they successfully cracked. Mandiant suspects -- but evidently doesnt have hard evidence to prove -- that the hack was kicked off by a
spear-phishing attack
. It also said that attackers routed their exploits through compromised university systems in Arizona, New Mexico, North Carolina and Wisconsin, as well as smaller U.S. companies and service providers, which it said matches previously seen Chinese attack patterns.
When you see the same group steal data on Chinese dissidents and Tibetan activists, then attack an aerospace company, it starts to push you in the right direction, Bejtlich said.
But does the evidence shared to date support the assertion that Chinese attackers -- or the Chinese government -- were actually involved? The Chinese government, for its part, quickly dismissed any suggestion that it had commissioned the
Times
hack. Chinese laws prohibit any action including hacking that damages Internet security, read a statement released by Chinas Ministry of National Defense. To accuse the Chinese military of launching cyber attacks without solid proof is unprofessional and baseless.
But some security experts think the available facts dont clearly demonstrate Chinese involvement. The list of potential culprits who could have breached the
Times
network for information on Asia is far longer than just China, said cyber warfare specialist Jeffrey Carr, whos the CEO of Taia Global, in a
blog post
. He also noted that tying the attacks to the Oct. 25 story appeared to be an assumption on the part of officials at the
Times
, since the related attacks began over a month earlier. So while that intrusion could have sparked by reporters conducting research for their Wen Jiabao story, it might also have been unrelated.
Carr also criticized Mandiants reporting that the attackers appeared to keep Beijing work hours. But he said that workday would also apply to Bangkok, Singapore, Taiwan, Tibet, Seoul and even Tallinn--all of whom have active hacker populations. In addition, if the attack was launched by the Chinese government, it would have used its Ministry of State Security, which is the Chinese version of the CIA, and that agency likely wouldnt have left recoverable tracks. Finally, one of the
remote access Trojan
(RAT) attack tools used has been seen in previous attacks launched by Chinese organizations, but the tool has also been used by others and is free to download.
Based on those facts, Carr said, This article appears to be nothing more than an acknowledgment by the
New York Times
that they found hackers in their network (thats not really news); that China was to blame (thats Mandiants go-to culprit), and that no customer data was lost (i.e., the
Times
isnt liable for a lawsuit), he said.
Regardless of whether or not there was Chinese involvement in the attacks, how did the attackers manage to compromise systems at the
Times
for several months before being detected? On this front, the
Times
names Symantec, saying that although all employees used the firms antivirus product, it had detected and quarantined only one of the 45 malicious files used by attackers over a three-month period. The rest successfully infected the targeted PCs.
That revelation is an
embarrassment for Symantec
, and officials at the company moved quickly to try and control any PR fallout, issuing a
statement
on Thursday saying that anti-virus software alone is not enough.
Advanced attacks like the ones the
New York Times
described ... underscore how important it is for companies, countries and consumers to make sure they are using the full capability of security solutions, read the Symantec statement. The advanced capabilities in our endpoint offerings, including our unique reputation-based technology and behavior-based blocking, specifically target sophisticated attacks. Turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats.
Is the attackers ability to bypass a widely used commercial antivirus product evidence of their sophistication, or possible nation-state backing? Not at all. For starters, determining which antivirus software the
Times
reporters were using would have been simple: Maybe the APT operators just checked the customer lists from each of the AVs to see which one had the NYT?
tweeted
the vulnerability broker known as The Grugq. Once attackers identified the antivirus software in place, they could have easily
repacked exploits
-- generated using relatively inexpensive and easily obtained
crimeware toolkits
-- and tested them in advance using a free service such as
VirusTotal
to see if the Symantec antivirus software signatures recognized the exploit. If
no match was found
, attackers would know that if they could hit a Symantec-using PC at the
Times
with the malware, the infection would likely be successful. Can the types of attacks that infected systems at the
Times
be stopped? Some will be blocked, but even with top-notch security defenses, some will still get through. Hackers Unmasked: Detecting, Analyzing And Taking Action Against Current Threats
In this all-day InformationWeek and Dark Reading Virtual Event, experts and vendors will offer a detailed look at how enterprises can detect the latest malware, analyze the most current cyber attacks, and even identify and take action against the attackers. Attendees of the
Hackers Unmasked
event will also get a look at how cybercriminals operate, how they are motivated -- and what your business can do to stop them. It happens Feb. 7. (Free registration required.)

Last News

▸ Senate wants changes to cybercrime law. ◂
Discovered: 23/12/2024
Category: security

▸ Car Sector Speeds Up In Security. ◂
Discovered: 23/12/2024
Category: security

▸ Making use of a homemade Android army ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Did Chinese Hackers Hit emNY Times/em?