Lessons Learned from the New York Times Hack by Jody Ma Kissling

This week, news broke that the computer network belonging to one of America’s most famous publications, The New York Times, was compromised for a period of four months by Chinese attackers. While this breach was every infrastructure security team’s worst nightmare, The New York Times should be commended for publically announcing the compromise.  Now, all eyes and ears turn to what can be learned and how attacks like this can be prevented in the future.

Behind the Attack

News of the attack was first reported around midnight on January 30th. According to an article by Ars Technica, reporters from The New York Times researched and planned to write a story about the Chinese Prime Minister, Wen Jiabao and his family.  The Chinese government warned the Times that its investigation “would have consequences,” which alerted the Times to potential attacks and caused them to take extra precautions with their computer security. On October 25, 2012, the article ‘Billions in Hidden Riches for Family of Chinese Leader ’ was published. That same day, AT&T alerted the Times to suspect activity occurring on its network.

The Nature of the Attack

According to Ars Technica, it was later determined through a Mandiant forensic investigation that the attacks initially started a full month before the publication even made press. They began on September 13, 2012, and attackers successfully operated undetected on the Times’ network for an entire month. 

Malware, Botnets, Spear Phishing…Oh My!

The adversaries used 45 different pieces of malware code to execute this attack, including remote access tools that gave attackers run of the Times’ network. This was initiated through use of a botnet primarily composed of United States University Assets. From there, the network was infected with malware (likely through spear phishing efforts).

The attackers were then able to find the Windows network domain controller, obtain the Times’ user directory listing and corresponding password tables and proceeded to crack them offline. Next, a custom program was designed to breach the Times’ email server, thus opening a can of security worms for The New York Times.

Two Key Time Periods Create an Amalgamation of Security Issues

This timeline of the attack demonstrates the time that elapsed between the onset of the attack and its detection, and also the time between knowledge of the attack and its complete remediation. These two periods of time reflect the four month window in which the attackers were able to spy on the publication. It is important to note that the attackers still had access to the network for several months after the initial discovery of the breach while the Times worked to eliminate them. The two time phases outlined below in red.

This breach highlights a number of issues that are common to sophisticated, targeted attacks:

Traditional Security Tools were not effective

The forensic investigation conducted by Mandiant reveals that the attacks initially started as early as September 13, 2012 and successfully went undetected for an entire month. Of the 45 pieces of malware that were used in the attack, only one was reportedly detected by the traditional anti-virus software that the Times was using. Historically, people have convinced themselves that as soon as an attack begins, it will be detected by existing security measures. But today, that’s simply not the case.  It’s not a matter of if your network will be attacked, it’s when and whether or not you’re ready. Next-generation tools that provide visibility into the internal network can help uncover attacks that bypass conventional perimeter- and signature-based defenses. 

Attackers with Valid Credentials

Often in breeches, attackers target credentials. In this particular case, adversaries used valid credentials of New York Times’ employees to pose as authenticated users and move beyond the perimeter to the internal network. An alarming figure from a recent Mandiant M-Trends Report: in 100% of the cases Mandiant responded to in 2011, the attacker used valid credentials. Do you have a security solution in place to address suspect user activity?

Data Exfiltration

The Times attack not only involved the exfiltration of user logins and passwords, but also other information the attackers were stealing off of computer systems on the Times network.
When data mysteriously moves out of a network from hosts that do not normally exfiltrate large amounts of information, there could be a serious problem.  Fortunately there identity appliances such as the StealthWatch IDentity that provide 24x7 monitoring of who is on the network, and what that user is doing.  With these types of measures in place, it becomes difficult to impersonate the identity of a regular network user. Should a user log on and begin to download large data files, the appropriate alarms would trigger and the security and network teams would be alerted.

Botnet Command and Control

Malware in the Times network was remotely controlled from systems on several University networks. Although these networks were not the ultimate origin of the attack, it’s unlikely that this traffic represented normal network traffic patterns at the Times. 

How can we improve this Situation?

In terms of network security, traditional antivirus and other security solutions cannot be expected to catch every single attack. This doesn’t mean that the era of the antivirus us over or that these solutions have no value.  What it does demonstrate is the continued evolution of attacks and the need for other kinds of solutions to complement traditional detection systems. There is no one silver security bullet.

Network Behavioral Anomaly Detection technology can play an important role in identifying many of the behaviors evidenced in this incident. Unusual data exfiltration and botnet command and control activity often deviates from the normal behavior that is seen on a computer network. When attackers log in with valid usernames and passwords, without using exploits, often behavioral profiles are the best opportunity to detect that something isn’t right.

Unfortunately, The New York Times is not the only organization that has been the victim of a sophisticated, targeted attack of this nature, and it certainly will not be the last as regular drum beat of these kinds of incidents has been reported over the past few years. In order to combat these new and constantly evolving threats, defensive techniques need to adapt. With better network visibility, it may be possible to shorten the period of time that it takes to detect incidents like this, to understand their scope, and to fully remediate them.