Wednesday, February 13, 2013

Chinese hackers attacked New York Times computers for four months

That's not a first: opponents to non-democratic regimes being harassed because they revealed something nasty. This story is no different.

The NY Times published an article about China's leader, Wen Jiabao, and some possible financial "indelicacies" of his family.

The Chinese government informed the NY Times that there will be "consequences" to the article. And there were.

The attack apparently started on September 13, 2012. The initial vector seems to be a spear phishing attack, which lead to systems being compromised and remote access tools installed. On October 25 ,2012, AT&T informed the company that "suspicious communications were spotted." This puts the detection time to about a month, not a very long time in the APT world.

Mandiant was mandated to investigate the breach, and found that the attack was consistent with others perpetrated by Chinese hackers associated with the Chinese military. China has always either denied or refused to comment on such attacks.

The most likely goal of the attack was to find who told to the reporters, possibly for further "actions."

The article on Ars Technica is here.

Interestingly enough, the next day, an article was published mentioning that the Wall Street Journal was also hit by Chinese hackers, with the same intent: monitor and control the newspapers's coverage of China. The Washington Post also claimed its networks were compromised, probably by the same source.

In at least two cases, the antivirus provided by Symantec failed to detect the malware. Which is normal. An AV is only one component in a line of complex defenses, and relying solely on it is akin to just decide that your immune system is enough to cope with all the dirt you may find in the world, and ditch hospitals, doctors and hygiene.

In the NYTimes case, in addition to the AV and, most likely, other tools, the provider was involved into monitoring the activity. Which paid off: AT&T detected the "strange activity" which led to the discovery of the malware.