Why the Times let hackers stay awhile
Last week's disclosure by The New York Times that Chinese hackers had infiltrated its computer systems offers a sharp lesson in cyber defense. Instead of kicking out the hackers when they were first discovered, the company kept an eye on them long enough to follow their trail, writes Antone Gonsalves at CSO magazine.
During a four-month attack, the hackers installed a great deal of malware on the Times' computers, most of which went undetected by the company's antivirus program. The hackers stole passwords of reporters and other employees as the paper was preparing to publish an investigative article on business deals that reaped China's prime minister billions of dollars.
The Times learned in September that it could be the target of hackers, and asked its ISP to be on the look-out for strange activity in outbound traffic. When AT&T (NYSE: T) reported unusual activity, the paper opened an investigation. A spear-phishing attack is believed to have given the hackers their entree, after which they installed remote access tools to take data.
By monitoring the hackers' activity before shutting them out, the paper was able to gather important information. For one, they could see whether they were infiltrating from more than one access point. Also, they were able to determine that the hackers' main goal may have been to find out who was giving reporters information for the investigative article.
- see Antone Gonsalves post at CSO