Forensic Investigators Track Times Attack Step By Step

By Robert Westervelt
February 01, 2013 9:40 AM ET

Page 1 of 2

The cybercriminals targeting The New York Times had specific instructions to attack two employees and, although they gained access to the account credentials of every employee, they stuck to their mission, according to the computer forensics team that investigated the incident.

The breach, which began with a spearphishing email laced with malware, targeted two reporters in the Times newsroom working on a story about Chinese Prime Minister Wen Jiabao and his business dealings. The attackers used custom tools, but the techniques used to find their ultimate target are common in most advanced persistent threats, said Richard Bejtlich, chief security officer of Alexandria, Va.-based Mandiant, the forensics firm hired by the Times to investigate the attack.

"They could have accessed hundreds of computers but they scoped it to only 53 and, even more specifically, they paid most of their attention to these two reporters who were working on a story that was of intense interest to the Chinese government," Bejtlich told CRN. "It's not consistent with a lot of other intrusions that we've seen, although this group that perpetrated this action had been active in hundreds of other companies."

The intrusion lasted four months. Bejtlich said investigators could deduce what the tasking order looked like: Find out what the two reporters were going to say; find out who their sources were; and find out who they were speaking with.

Although the attackers used the same hacking techniques used in previous targeted attacks against Google, RSA, the Security Division of EMC and hundreds of other firms, the tools used by the cybercriminals linked them to a gang being tracked by security researchers, Bejtlich said.

Investigators found the forensic evidence linking the first victim of the attack. They then found the Trojan dropper used to establish a command post to remotely link up with the cybercriminal gang believed to be hired to conduct the operation. In total, more than 45 pieces of custom malware were used in the attack, mainly to remain stealthy on the Times' corporate systems, Bejtlich said.

"They used the tools they needed to get from one system to another," he said. "In this case we saw some custom tools to parse the reporter's email to look for data of interest."

NEXT: Anatomy Of The Attack Yields Ways For Better Defenses

1 | 2 | Next >>

To continue reading this article, please download the free CRN Tech News app for your iPad or Windows 8 device.

Related: Videos | Slide Shows | Comments

SHARE THIS ARTICLE

More Security

Comments by Vanilla

Recent Articles

	Head-To-Head: Symantec Vs. McAfee In Endpoint Protection McAfee and Symantec are archrivals with a firm grip on the North American security market. CRN pits both vendors' endpoint security products against each other and names a winner.
	The 8 Steps Behind The Massive $45M Cyber Bank Heist More than $45 million was stolen from banks in the U.S. and 19 other countries in a scheme that law enforcement is calling an international conspiracy to drain millions from bank accounts using stolen debit cards and PIN numbers. Here's how they did it.
	Name Of The Game: Top 10 States For Identity Theft A Federal Trade Commission report provides statistics on identity theft and fraud complaints in 2012. Learn which state has the dubious distinction of having the most victims.
	More Slide Shows