China Attack On The New York Times By The Numbers4:36 PM EST Thu. Jan. 31, 2013
Cyberespionage campaigns, designed to infiltrate businesses and remain stealthy on corporate systems for months and sometimes years, is a serious issue, but often not the kind of attack disclosed to the public by organizations that have been infiltrated, according to security experts. The New York Times reported Thursday that its computer systems were infiltrated after legitimate account credentials were stolen from reporters and other employees. Once inside, the attackers used the valid credentials to remain stealthy on the systems, slipping past corporate antivirus and other security systems. It's an attack technique that's been repeated numerous times in recent years and commonly associated with documented high-profile data breaches, said George Tubin, senior security strategist at Boston-based security firm, Trusteer.
Here's a closer look at how the New York Times attack went down, as well as advice on how companies can reduce the risk of a cyberattacks in their organizations.
The attackers accessed the computers of 53 Times employees. Investigators believe some of the employees were targeted by spearphishing messages to gain an initial foothold into the organization. The targeted attacks typically contain malicious file attachments or links to a malicious Web page. If an employee opens the attachment, the malware is designed to target vulnerabilities on the victim's computer. Without the employee's knowledge, a remote access Trojan is dropped on the victim's machine, and the cybercriminals behind the attacks are notified that the attack was successful. One of the only ways to help reduce the risk of spearphishing is end-user education, said Randy Abrams, research director, at Austin, Texas-based security vendor testing firm NSS Labs. Spearphishing attacks tax heuristics technology used in antivirus beyond its limits, Abrams said.
The cybercriminals behind the attacks targeting the Times appeared to be very well funded and sophisticated, security experts said. Once a cybercriminal has remote access to a victim's machine, more malware is used to achieve the objectives. Investigators discovered 45 pieces of custom malware designed to conduct a number of activities associated with cybercriminal activity. Keyloggers record keystrokes on the victim's machine. Data stealers scan email messages and copy other documents on the victim's machine. At an often programmed time, typically during a period of inactivity on the victim's computer, the malware will send the data to a remote server, where the cybercriminals can retrieve it.
Attackers had nearly four months to watch their targets at the Times. The Data Breach Investigations Report, which analyzed more than 800 data breaches, found that most companies were made aware of the breach by a third-party, such as a law enforcement fraud investigation or service provider. Antivirus has been found to be inadequate against most attacks. The Times, which was using antivirus from Symantec, said it was woefully inadequate; however, Symantec responded saying that antivirus alone is not enough. Security experts point out that while some firms have deployed security information and event management (SIEM) systems to collect log data, few are actively monitoring the appliance to detect anomalous behavior and investigate a problem before it becomes a serious breach.
Once on the corporate network with legitimate account credentials, attackers can attempt to access other systems. The attackers gained access to a domain controller containing the database of hashed passwords of every Times employee, according to the report. Security experts warn that companies should not only hash, but instead add the additional salting protection, making password cracking more difficult. Poor password management policies often make it easy for cybercriminals to crack hashed and even salted passwords. Common passwords seen repeatedly by penetration testers are either easily guessable or a dictionary word that can be cracked with an automated tool.