NYT attack offers hints for other CIOs facing threats


By Frank Hayes

The months-long Chinese cyberattack on the New York Times has already been widely reported, but the level of detail in the newspaper's own reporting on the incident should be useful to CIOs at other companies facing potential security threats. That includes the fact that the company initially underestimated the problem, then eventually seemed to overreact to it, according to reporter Nicole Perlroth.

The Times asked AT&T, its network provider, to monitor for suspicious activity starting on Oct. 24, the day before a news story critical of Chinese prime minister Wen Jiabao was scheduled to appear. But a later forensic analysis determined that hackers had already broken in on Sept. 13. "They set up at least three back doors into users' machines that they used as a digital base camp," the newspaper reported. By the time AT&T (NYSE: T) was called in, attackers had already found and decrypted passwords for every Times employee.

But it wasn't until Nov. 7 that the company brought in security specialist Mandiant to investigate. The overreaction? Eventually the company said it "replaced every compromised computer" along with removing the back doors into its network, changing all employee passwords and blocking compromised computers from universities and other outside organizations that had been used in the attacks. Given that the PCs of at least 53 Times employees were accessed, replacement sounds extreme, especially since wiping hard drives and a clean reinstall of software would usually suffice. In practice, though, replacement has advantages.

The Times never determined exactly how attackers got a foothold into its networks, but it suspects spearfishing, in which emails laden with malware are targeted at employees. Once a PC is infected, the malware could collect large amounts of information about the machine, including hardware details such as MAC addresses that might make future attacks and reinfection easier. Such future attacks are likely.

"Once they take a liking to a victim, [attackers] tend to come back," said Richard Bejtlich, Mandiant's chief security officer. "It's not like a digital crime case where the intruders steal stuff and then they're gone. This requires an internal vigilance model."

For more:
- see the NYT article

Related Articles:
Secret backdoors found in security appliances from Barracuda Networks
Getting out in front of the Black Hats
New Java exploit put up for sale