First the NYT, now the Wall Street Journal: But are hacking attacks from China new?
Analysis The Wall Street Journal is the latest media titan after the New York Times to admit it was raided by Chinese hackers.
The WSJ confessed on Thursday a day after the NYT similarly blamed intruders linked to China’s military for a persistent four-month assault against its computer systems.
The attack against the NYT used a combination of spear-phishing – targeting specific individuals in a company – and customised malware. The newspaper’s observation that its Symantec-supplied protection systems only spotted one of the 45 incoming software nasties provoked a defensive statement from the antivirus maker.
As previously reported, the NYT said the attack resulted in the theft of staff passwords. It reckoned the espionage was an attempt to discover how the paper came to run an expose on outgoing Chinese Premier Wen Jiabao’s family finances. The NYT hired internet security firm Mandiant to investigate the network compromises.
The WSJ goes into less detail about the assault against its systems, but said that hackers were trying to monitor its China coverage. Journal publisher Dow Jones Co said its broadsheet’s computer had been infiltrated by Chinese miscreants and that these attacks were geared towards identifying sources for stories and information on upcoming articles.
The Journal was notified by the FBI of a potential security breach in the middle of last year and that a subsequent investigation suggested that journalists in the paper’s Beijing bureau – such as Jeremy Page and bureau chief Andrew Browne – were the targets. We’re told that the intruders gained access to the overseas office’s PCs and used them as a route to infiltrate the paper’s global computer system.
It said that the attacks were the latest in a series of assaults from China against the WSJ.
News agencies are also plagued by spies creeping in over the internet: the WSJ reports that Reuters was hacked twice in August. The newswire either doesn’t know or isn’t prepared to say who it reckons was behind the attacks. Bloomberg said it was also targeted by hackers but claims that it was able to fend off the assault.
Western organisations accuse the hackers of having strong links to China’s Communist-run government. The WSJ even quotes web security biz CrowdStrike as saying that one of the 20 Chinese hacking groups it tracks specialises in attacking the media industry.
China’s foreign ministry has angrily rejected allegations of state collusion; its top brass said any suggestion that officials masterminded cyber-incursions into major US news outlets is “groundless” and “totally irresponsible”.
“It is irresponsible to make such an allegation without solid proof and evidence,” Foreign Ministry spokesman Hong Lei said. “The Chinese government prohibits cyber-attacks and has done what it can to combat such activities in accordance with Chinese laws.”
Hong added that China itself had been the victim of hackers but declined to identify the infiltrators nor who or what they targeted within the Asian nation’s Great Firewall.
APT as easy as ABC
So-called Advanced Persistent Threat (APT) attacks against media outlets are part of a huge range of attacks against high-tech companies, government agencies, oil exploration outfits, defence contractors and so many others. And it has been going on for years.
More recently, the onslaughts have moved on from spear-phishing to planting malicious code on websites commonly visited by workers at targeted organisations – a so-called watering hole attack. This is ultimately designed to spread customised malware.
Victims of an ongoing campaign – variously codenamed Aurora, TitanRain, ShadyRAT and Night Dragon – over the years have included Google, RSA, and Coca-Cola in the US; Canada’s Nortel; Mitsubishi Heavy industries in Japan; Rolls-Royce and Royal Dutch Shell in the UK; and numerous others.
Over the years patriotic hacker groups, who choose to defend their home nation or beat up their state’s enemies, and criminals have forged alliances; this is a process thought to be facilitated by the Chinese government and in particular the Peoples’ Liberation Army.
There are various roles within such outfits including malware distributors, bot masters, account brokers and, most importantly, vulnerability researchers. The Chinese often prefer to use freelance hackers for plausible deniability, but the use of Chinese-language tools first seen in internet sorties against Tibetan activists has led computer security experts to point the finger of blame towards the Chinese government in many cases.
There’s little point in dismissing or being shocked by the New York Times attack, which is just one example of a serious ongoing problem that has provoked formal complaints by the US State department to foreign nations.
“Sophisticated, targeted attacks have changed the cyber landscape. Everybody is vulnerable to these threats – no organisation is safe,” said Rob Cotton, chief exec at infosec biz NCC Group.
“Although we can’t blame this incident purely on the antivirus software, the ongoing issue is that signature based antivirus tackles a problem that was prevalent 20 years ago but is largely irrelevant to today’s cyber threats.”
Antivirus is like ‘homeopathy for computers’
The NYT electronic break-in was a catalyst for a debate about the effectiveness of antivirus software. There are broadly three camps to this discussion: Defenders of the continuing usefulness of the technology argue that it’s necessary but insufficient. You need antivirus, and not just on the desktop, along with intrusion prevention, monitoring and other layers of protection.
The second camp argues that custom malware is always going to punch through defences so what you need is early detection of infection, and then recovery and a response to attacks. By responding quickly, organisations can minimise the effect of a breach and prevent the theft of valuable information. This approach makes a fair bit of sense when if you appreciate that attackers use an initial infection to get a foothold on a targeted organisation’s network but what they’re really after is often stored elsewhere. So thwarting so-called stepping stone attacks makes a lot of sense.
The third, and most vocal, camp argues that antivirus software is hopelessly outdated in the face of modern threats; some describe the industry as selling “blunt razor blades” or more damningly “homeopathy for computers“.
Vendors in this camp include those who advocate white-listing as an alternative to antivirus (technology that blacklists known malicious programs). However modern security software incorporates white-listing and behaviour-based detection so this argument is far from a clincher or at least it’s more complicated than it looks on the surface. ®