Extra Extra - We Have an Intruder

Posted by Tom Bain on February 7, 2013 at 9:40 AM

By now you may have all heard about the New York Times being attacked by a group of attackers in China. The group is well-known for being really good at getting what they want out of their attacks. 

The Wall Street Journal also stated they were hacked by the Chinese too. 

There’s a lot that’s interesting about both of these two attacks. First, I think its pretty much a given that anyone, regardless of what company you are, which industry your organization is in or geographically where you are located, is a potential target. 

Second, as a Communications practitioner, having worked with the media for a number of years, its a really big deal that two of the largest publications, both digital and print, have now been targeted by the Chinese. According to most reports, its because they are hell-bent on tracking how they are perceived globally, most notably the perceptions of how they are being reported in the U.S.

Third, there are some of the standard impacts that go along with this attack, like many others - - but what’s most troubling about this specific attack on New York Times reporter David Barboza is that if they can get to what they got, they can pretty much do anything they want. 

What I mean is, they were pretty sophisticated attacks in terms of what they did, how they did it, and what they were able to access. But if they targeted a specific reporter’s email account, read everything they wanted to because they were looking for sources, and then were able to get further into the NYT network to access the file system and access documents, isn’t it possible that they might just start to change the content being delivered to readers in stories? 

I don’t doubt for a second that as part image campaign, part hacking program, attackers might do everything they did here, but take it to the next level and alter articles and advertisements we consume. sure forensics experts would help uncover paths, tools and gaps across the infrastructure stack. But to change the product would be kind of a big deal. Right? 

NYT Digital would have an easier remediation process at least if their stories were being hanged. But people still read the NYT, WSJ and USA Today hard copies - seriously, if you’re a business traveler, what do you have the easiest access to in airports, newsstands and hotels? It would be hard to recall millions of daily copies.

I mentioned that this was sophisticated earlier, but at the initial entry point, according to reports, they are pretty sure that the advanced malware was launched by a spearfishing attack. Seriously? Well, check one box for the NYT needing security awareness training. 

What’s sort of scary, and certainly demonstrates the level of skill this group has, is that apparently they only installed their tools on 53 machines but had access to pretty much whatever they wanted. They were so laser focused on getting to the accounts of Shanghai bureau chief David Barboza and South Asia bureau chief Jim Yardley, located in Inida, that they could have cared less about grabbing anything they wanted to/could have. They also actually cracked and had access to all NYT computer passwords and didn't go after any NYT customer data.  

It actually gets even more sophisticated, especially in how the intrusion was cloaked. The group tried to disguise their intrusions as they penetrated the NYT network and route it all through a bunch of university computers in the US. This was so it looked like a bunch of hacking students were executing the attack. 

Either way, its a fairly monumental attack that deserves continued analysis, because its going to continue to happen and there will likely be more evidence and intelligence that we as an industry can learn about. Between the software and hardware components, at risk, its not really just a software security play here. 

But I do think it starts with educating employees on general security best practices - if it emerges as a certainty that an NYT employee clicked on a phishing email, had they received security awareness training initially from say, a Wombat who specializes in practical training around stuff like, ‘how to avoid falling victim to phishing attacks,” that may have helped. 

That said, as the forensics team who conducted the investigation and reverse engineered the Chinese attack puts it, ‘its a matter of when, not if.” Certanly not a happy thought, and I am hoping that our most respected news media outlets can take the appropriate steps to help mitigate the risks involved, so we are all assured of consuming accurate news. 

Topics: security awareness, cybersecurity news

Tom Bain

Written by Tom Bain