Pierluigi Paganini February 01, 2013

The news is sensational as granted one of the most important journal, the New York Times has announced that during the last months it was victim of cyber espionage coordinated by Chinese hackers probably state-sponsored attackers.

The attacks happened in concomitance with the investigation of the journal, published on Oct. 25th, that revealed that the relatives of Wen Jiabao, China’s prime minister, had accumulated a fortune worth several billion dollars through business dealings.

On Oct. 25th the AT&T informed The Times journal of suspect activities related ongoing attacks believed to have been perpetrated by the Chinese military.

Jill Abramson, executive editor of The Times declared:

“Computer security experts found no evidence that sensitive e-mails or files from the reporting of our articles about the Wen family were accessed, downloaded or copied,”

The hackers have tried to compromise the email account of journalists to steal sensible information, what is surprising is that the hackers have tried to infiltrate the network of the journal using 45 instances of targeted malware, as revealed by forensics analysis conducted by Mandiant security firm.

Mandiant experts observed that the hackers began work, for the most part, at 8 a.m. Beijing time operating for a standard work day, but the group of hackers has also attacks stopped for a couple of weeks periodically.

The New York Times reported:

“The hackers tried to cloak the source of the attacks on The Times by first penetrating computers at United States universities and routing the attacks through them, said computer security experts at Mandiant, the company hired by The Times. This matches the subterfuge used in many other attacks that Mandiant has tracked to China.”

Jeffrey Carr made an excellent synthesis on his blog post, he explained What did the hackers do:

• They first accessed the network around September 13
• Installed malware that wasn’t detected by Symantec’s anti-virus
• They installed backdoors.
• Obtained passwords for 53 Times employees who didn’t work in the Times’ newsroom
• They “created custom software that allowed them to search for and grab Mr. Barboza’s and Mr. Yardley’s e-mails and documents from a Times e-mail server” but that conflicts with Ms. Abramson’s above statement

The article of NYT on the event referred that the hackers were traced back to the same universities used by the Chinese military to attack U.S. military contractors in the past, such as the Lanxiang Vocational School Argument.

Investigators discovered that hackers cracked the passwords to access to a number of computers within the network, creating custom software that allowed them to search for and grab Mr. Barboza’s and Mr. Yardley’s e-mails and documents from a Times e-mail server.

David Barboza is the Shanghai bureau chief author of the reports on Mr. Wen’s relatives, and Jim Yardley is The Times’s South Asia bureau chief in India, who previously worked as bureau chief in Beijing.

The hackers run the cyber espionage campaign through a number of compromised computer systems belonging to universities in North Carolina, Arizona, Wisconsin and New Mexico, as well as smaller companies and Internet service providers across the United States, according to Mandiant’s investigators.

Hackers used of a Remote Access Tool (RAT), one of the most popular is GhostRAT used by Chinese hacker in many other operations.

What is surprising is that on the overall cyber threats only one trojan has been detected by defense systems used by the New York Time and provided by Symantec company.

Symantec declared that it’s very hard to stop so sophisticated attacks:

“Advanced attacks like the ones the New York Times described in the following article, underscore how important it is for companies, countries and consumers to make sure they are using the full capability of security solutions,”

“Turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats.”

Symantec has confirmed that to mitigate these type of attacks it is necessary a different approach that needs extra layers of security, signature-based detection is the principal approach implemented by principal AV software but it is not efficient against 0-day attacks.

Many experts agreed that endpoint monitoring was no longer sufficient to protect corporates from targeted Advanced Persistent Threats.

Another part of experts doesn’t accept that solution such as the one provided by Symantec is not sufficient to preserve internal networks from cyber attacks.

The cyber espionage is a practice subtle, insidious for which it is difficult tracks the real origin of the attacks, China certainly seems to be the main cause any other actor might be interested to infiltrate the networks of the popular newspaper.

Pierluigi Paganini