New York Times Hack Puts Antivirus on Defensive

The big news this morning is the New York Times’ scoop on…well…itself. According to a report in today’s paper, the Times’s computer network was compromised for more than four months by attackers believed to be located in China.

The New York Times Building
The Times says hackers based in China compromised their network after critical reports on senior Communist Party Members

The attacks followed a Times exposé on the wealth accumulated by family members of China’s prime minister, Wen Jiabao – one of a series of reports in Western media outlets that raised questions about corruption and influence peddling in China’s ruling Communist Party. Attackers planted 45 pieces of information-stealing malware on Times systems, despite the presence of antivirus software from Symantec Corp. protecting those systems before, during and after the hack.

The story is fueling debate about the value of anti-virus software and prompted Symantec to issue a statement defending its technology, but warning that signature-based antivirus is not enough to stop sophisticated attacks.

According to the Times report, the attacks used compromised systems on U.S. university networks as a staging ground for their assault on the Times. Though the exact infection mechanism isn’t known, experts at the firm Mandiant who investigated the incident said that spear phishing attacks were probably used to plant malware on the Times’s network and, ultimately, to compromise a domain controller containing the account name and passwords for every New York Times Co. employee. Reporters and editors who worked on the Wen Jiabao  story were then targeted in follow-on attacks that gained access to their personal and work computers and e-mail accounts.

The Chinese government denied having any role in the attacks. However, the Times report notes that the attackers seemed most active during business hours – Beijing time – and showed little interest in data unrelated to the Wen story. Many of the 53 employees who were hacked had links to the Wen report, the Times said.

Of particular interest to the attackers were the e-mail accounts of the Times’ Shanghai bureau chief, David Barboza, whose byline was on the reports on Mr. Wen’s relatives, and Jim Yardley, The Times’s South Asia bureau chief in India, who had also worked as bureau chief in Beijing. The attackers used custom malware to harvest e-mail and other communications related to Barboza and Yardley, the report said.

The Times also had harsh words for Symantec, the anti malware vendor it used to protect its corporate systems. Symantec flagged only one of the 45 malicious programs used in the attack, the report said.

In a statement released on Thursday, Symantec pointed the finger back at the Times which, it suggested, hadn’t used all the capabilities of Symantec’s product.

“Advanced attacks like the ones the New York Times…underscore how important it is for companies, countries and consumers to make sure they are using the full capability of security solutions,” the company said. “The advanced capabilities in our endpoint offerings, including our unique reputation-based technology and behavior-based blocking, specifically target sophisticated attacks. Turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats.”

The story is bound to add fuel to a long-running debate about the utility of anti-virus software. Customers have long complained that the software is good for catching known threats, but misses new malware and even subtle variations of known viruses. The Times report doesn’t name the malware used in the attack on its employees, but says it was a strain “associated with computer attacks originating in China,” while the staging servers used to compromise the Times were also used in similar attacks on U.S. military contractors.

Malware authors and cyber criminal groups will use a number of tricks to evade detection by antivirus software. Even minor changes will change the “signature” of the executable, throwing off anti-virus clients. And most sophisticated online crime groups test their wares against the latest versions of major AV platforms before deploying them, ensuring that they’ll go unnoticed.