Lesson learned in cyberattack on The New York Times

The New York Times' description of a cyberespionage campaign waged against the news media company by Chinese hackers demonstrates the importance of assuming criminals will eventually break into a computer system, and the best defense is to detect the intrusion as soon as possible.

On Wednesday, The Times disclosed that hackers had persistently attacked its computer systems for four months, and had stolen passwords for reporters and employees. Rather than boot the hackers immediately, The Times chose to study their movements in order to build better defenses against them.

The attacks coincided with an investigative piece the newspaper published Oct. 25 on business dealings that reaped several billion dollars for the relatives of Wen Jiabao, China's prime minister.

The lessons learned from the attack applies to any organization targeted by hackers with a level of sophistication often financed by a nation-state. Potential victims typically include defense contractors, multinational corporations, the military, think tanks and government agencies.

Over the course of the attacks on The Times, the intruders installed 45 pieces of custom malware. With the exception of one instance, Symantec antivirus software being used detected none of the malware.Ã'Â

One important step the company took in September, when it learned it might be targeted by hackers in China, was to notify its Internet service provider to watch for unusual activity in outbound traffic from the network, experts said Thursday. AT&T eventually did report seeing anomalies, which started The Times investigation and led to its hiring of security firm Mandiant to help it monitor and eventually remove the hackers.

The newspaper believes the hackers initially broke in Sept. 13 through a spear-phishing attack, which is when carefully crafted emails are sent to specific people within an organization to trick them into opening a malware-carrying attachment or visit a malicious website. The break-in occurred while The Times was completing its reporting for the Wen family story.

Besides employee education, ways to combat spear phishing includes technology on the laptop that only allows pre-approved applications to run. Called whitelisting, the technology is difficult to manage, because employees will constantly seek permission to run other software.

"There's a lot of management overhead with it, but I think from a security standpoint, it's the right way to go," George Tubin, senior security strategist for Trusteer, said.

Other technology to prevent infection from an employee laptop includes sandboxing that limits applications only to the network resources that they need. Another option is micro-virtualization, which isolates the laptop from business applications and data by running risky tasks within a micro virtual machine.

Other options include exploit detection technology that makes it difficult for hackers to take advantage of vulnerabilities in software. Microsoft's free Enhanced Mitigation Experience Toolkit (EMET) is an example of such technology, as well as products from Cyvera, Lawrence Pingree, analyst for Gartner, said.

[See also: Chinese espionage threatens the U.S. economy, DOD says]

Once The Times' computers were compromised, the hackers installed remote access tools, known as RATs, in order to steal data. Once malware gets in computer systems, one of the better ways of catching it is through appliances that monitor application behavior and network traffic.

Another technology is a security information and event management (SIEM) system, which can capture and analyze logs from network hardware and software to flag abnormalities. Leading SIEM vendors include Hewlett-Packard, EMC-owned RSA, McAfee, Symantec, LogLogic and Q1 Labs, says Gartner.

In general, there is no one technology to combat a sophisticated attack like the one against The Times. Organizations that could become targets have to build layers of security that starts with the employee laptop and builds inward into the network behind the firewall.

"All of these strategies need to be used together," Pingree said. "There's no silver bullet for security solutions."

For companies that have the resources, The Times' strategy of monitoring the hackers' movements can reveal important intelligence, said Wolfgang Kandek, chief technology officer for Qualys.

For example, hackers may build several openings into a network, so shutting them out too quickly could lead to missing one of those backdoors, Kandek said. "It makes sense to watch for awhile."

The Times said it was able to close every backdoor in its network and to use the intelligence it gathered to determine the additional security technology needed to fend off future attacks.

The company also determined that the hackers seemed primarily interested in finding the names of people who might have provided information to the reporter of the Wen family story, Shanghai bureau chief David Barboza. No customer data was stolen.

The hackers infiltrated the computers of 53 employees, most of them outside the newsroom. The attackers tried to cover their tracks by first breaching computers at U.S. universities and then routing the attacks through them, Mandiant said.

Mandiant believes the hackers are members of a group the company calls "A.P.T. Number 12," for Advanced Persistent Threat. The group is one of 20 tracked by Mandiant that are spying on organizations in the U.S. and around the globe.

China's Ministry of National Defense denied it had anything to do with the cyberattacks.

The Times is not the first U.S. news media company to be targeted after reporting on Chinese leaders and corporations. Last year, Chinese hackers tried to penetrate the computers of Bloomberg News after it published a June 29 article on the wealth accumulated by relatives of then Vice President Xi Jinping, who became general secretary of the Communist Party in November and is expected to become president in March.

Also, The Wall Street Journal reported Thursday that its computer systems had been infiltrated by Chinese hackers bent on monitoring the newspaper's China coverage. The break-ins at the three companies along with reports of breaches at other news outlets indicate a widespread campaign to spy on U.S. media, the Journal said.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

Tags The New York TimesapplicationssymantecData Protection | MalwarelegalsoftwareCyberattackdata protectioncybercrime

More about BloombergEMC CorporationGartnerHewlett-Packard AustraliaLogLogicMcAfee AustraliaMicrosoftQ1 LabsQualysRSASymantecToolkitTrusteerTrusteerTrusteerWall Street

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts