I checked the date when I read the New York Times article describing Chinese hackers infiltrating The New York Times for four months, as I wasn’t sure if it was April 1st (April Fool’s Day) and we were being shown a practical joke, or April 13th (my birthday) and I was given a wonderful teaching moment. According to the article, the Incident Response was done by Manidant and they identified the attacks were routed through computers at various US universities; but in a pattern that matches previous attacks credited to the Chinese Military. Attacking via a server based in another country allows the Chinese to (attempt) plausible deniability. So what happened: the current thinking is that a spear phishing attempt lead to the initial breach, and the hackers were then able to leverage that initial foothold to gain access and maintain access to the New York Times internal network for four months. To quote the NYT article itself: “Security experts found evidence that the hackers stole the corporate passwords for every Times employee and used those to gain access to the personal computers of 53 employees, most of them outside The Times’ newsroom.” The attacker had the corporate password of EVERY employee of the Times, and even gained access to the personal computers of 53 employees. What can I do with your corporate password? Why, read every email you have sent or received, read all the files you have saved in your ‘private’ drive on the network, etc. For four months these attackers had the opportunity to know everything that was going on at the Times.
Not only that, but the article showed that the attackers would resume their work at 8am Beijing time every day. What does that mean? Well, for four months there was a group of people (reported to be in China) whose full time job was to maintain access to the network at the Times and to mine the data they were able to retrieve each day looking for anything of value. Think about that - this isn’t a smash and grab robbery during the middle of the night and the thieves were long gone in the morning. In this case the thieves settled in and made themselves at home for four months. You never saw them, but for more than a quarter of a year they were able to see everything that you did. I’ve referenced China in this blog post because the NYT piece strongly attributes the attack to China. When asked and shown the evidence that the hacking originated in China, China’s Ministry of National Defense said: “Chinese laws prohibit any action including hacking that damages Internet security.” By that logic, because most countries in the world have laws prohibiting using narcotics, that problem is solved too. Frankly, I have strong language about the logic being used here and even more about the pretense that NYT and Manidant are incorrect in their assessment. No one denies that major countries are engaged in physical spying, trying to at least stay abreast of what countries they consider to be an adversary (which most countries interpret broadly). Spies being publicly captured and private spy exchanges taking place between countries are commonplace; but for some reason, the idea that countries are doing this electronically is shocking and denied. Perhaps it is because of the potential scale of data that can be stolen; a physical spy can only steal what he can physically see; whereas an electronic spy can steal “several terabytes of data.”
Given that CORE Security created the first commercial Penetration Testing product that enabled you to replicate an attacker attempting to gain access to a remote network via an email borne attack, and then leverage that initial entry point into access to the entire internal network, you shouldn’t be surprised that I get frustrated that people find these kind of capabilities surprising or new. However, I cannot advocate enough the need to perform security awareness within your environment. It will not protect you from every attack but will make the attackers have to work for it. So where am I going with this? Well, unfortunately, the fact that I am blogging under a corporate tag prevents me from expressing my expectations of what a country should do when its economy and citizens are under attack – but needless to say, it is proactive. Come find me at a conference and hear my full opinion. In the meantime, always assume you are under attack, prepare your defenses, and then test them to find any gaps.