Readers of The New York Times -- this blogger included -- woke up this morning to read that the Gray Lady had been the target of a four-month cyberattack. For IT professionals and security watchers, the news of the attack is worth watching, especially since the alleged hackers targeted individuals instead of the corporate network.
In a January 31 article titled "Hackers in China Attacked The Times for Last 4 Months" (subscription required), the paper reports that following several critical stories about China’s Prime Minister Wen Jiabao and his relatives, hackers based in China attempted to target reporters and other employees in an effort to take password and other critical data.
It's not clear who the cybercriminals are, but NY Times security consultants found that the techniques deployed by the hackers were similar to those used by the Chinese military for cyberespionage. A spokesman for the Chinese government denied any wrongdoing.
One of the more interesting parts of the hacking is some of the techniques that the cybercrooks used to penetrate the NYT. First, the group compromised several computers at different US-based universities and routed malware through those machines. Once inside the network, the crew started stealing the passwords of employees and actually gained access to personal PCs as well.
However, the NYT and its security consultants are still not sure how the attack started. One theory is that the hackers used a spear-phishing technique that targeted individual employees with malicious links in emails. The NYT reports:
They suspect the hackers used a so-called spear-phishing attack, in which they send e-mails to employees that contain malicious links or attachments. All it takes is one click on the e-mail by an employee for hackers to install "remote access tools" -- or RATs. Those tools can siphon off oceans of data -- passwords, keystrokes, screen images, documents and, in some cases, recordings from computers’ microphones and Web cameras -- and send the information back to the attackers’ Web servers.
This part of the story is important for IT professionals and security experts, since managing the behavior of employees and workers is one of the hardest parts of keeping the network secure. Even with training, employees remain vulnerable to clever types of attacks. It’s an issue blogger Howard M. Cohen explored in a 2012 post. (See: IT Dilemma: The Segment Between the Keyboard & the Back of the Chair.)
The NYT report also faults Symantec and its antivirus software for not finding more of the malware that the hackers left within the network once they made their way in through backdoors. That was enough for Symantec to counter the paper’s account, while warning that antivirus alone is not enough to stop a complex attack:
Turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats. We encourage customers to be very aggressive in deploying solutions that offer a combined approach to security. Anti-virus software alone is not enough.
After discovering the hack, the NYT spent several weeks tracking the cybercriminals to identify the weak points in its network, close the backdoors, remove compromised machines, and change hundreds of employee passwords.
These types of attacks, while not as public, are increasing, and the sheer amount of spam and malware being produced is also on the rise. Earlier this month, an Infonetics Research survey found that datacenter distributed denial-of-service (DDoS) attacks were increasing.
While DDoS attacks are different from the types of specialized attacks that the NYT describes, both require sophisticated cybercriminals groups to carry them out, whether the result is targeting data or attacking an infrastructure.
For The New York Times, could the paper have done something different with its security policies to prevent this type of attack? For IT managers, what would you have done differently, and what are the best ways to prevent these attacks in the future?
UPDATE: After Enterprise Conversation published this blog, The Wall Street Journal also reported it had been attacked by a group based in China. As with the NYT, the FBI is investigating.