- The New York Times / China Hack: What Really Happened and Who Really Did It?
- The New York Times reported that it has been fending off a persistent attack by hackers which coincided with its publication on October 25, 2012 of an article on the wealth of the family of China's prime minister Wen JiaBao. However that appears to be an assumption because according to Jill Abramson, nothing was taken:
- “Computer security experts found no evidence that sensitive e-mails or files from the reporting of our articles about the Wen family were accessed, downloaded or copied,” said Jill Abramson, executive editor of The Times.
- What did the hackers actually do?
- They first accessed the network around September 13
- Installed malware that wasn't detected by Symantec's anti-virus
- They installed backdoors.
- Obtained passwords for 53 Times employees who didn't work in the Times' newsroom
- They "created custom software that allowed them to search for and grab Mr. Barboza’s and Mr. Yardley’s e-mails and documents from a Times e-mail server" but that conflicts with Ms. Abramson's above statement.
- So no customer data was stolen, and nothing about the Wen family was accessed, downloaded or copied. That's not really much of a story so far. Better add everyone's favorite bad guy - China.
- Why blame China?
- “If you look at each attack in isolation, you can’t say, ‘This is the Chinese military,’ ” said Richard Bejtlich, Mandiant’s chief security officer.
- But when the techniques and patterns of the hackers are similar, it is a sign that the hackers are the same or affiliated.
- “When you see the same group steal data on Chinese dissidents and Tibetan activists, then attack an aerospace company, it starts to push you in the right direction,” he said.
- Mandiant has been tracking about 20 groups that are spying on organizations inside the United States and around the globe. Its investigators said that based on the evidence — the malware used, the command and control centers compromised and the hackers’ techniques — The Times was attacked by a group of Chinese hackers that Mandiant refers to internally as “A.P.T. Number 12.”
- What's Wrong With This Picture?
- This article appears to be nothing more than an acknowledgment by the New York Times that they found hackers in their network (that's not really news); that China was to blame (that's Mandiant's go-to culprit), and that no customer data was lost (i.e., the Times isn't liable for a lawsuit).
- I think that Mandiant does good incident response work and I know Richard Bejtlich and some other Mandiant folks to be honest, hard-working professionals however their China-centric view of the hacker world isn't always justified in my opinion. Here are a few of the reasons mentioned in the New York Times article for why Mandiant believes that China was responsible. None of them hold water.
- The Beijing Workday Argument. The hackers could have been from anywhere in the world. The timezone that Mandiant imagines as a Beijing workday could easily apply to a workday in Bangkok, Singapore, Taiwan, Tibet, Seoul, and even Tallinn - all of whom have active hacker populations.
- The Lanxiang Vocational School Argument. The article mentioned that the hackers were traced back to the "same universities used by the Chinese military to attack U.S. military contractors in the past." If memory serves, one of those was the Lanxiang Vocational School in Jinan, the capital of Shandong province and home to a PLA regional command center. Actually, Jinan is an industrial city of six million people and more than a dozen universities. IP Geolocation to one school means absolutely nothing.
- Furthermore, even if the Chinese government was involved in cyber espionage against the New York Times, it wouldn't use its military for that. It would use its Ministry of State Security (China's equivalent of the CIA). And they wouldn't be stupid enough to run the attack from their own offices, which if you're interested in checking IP addresses, is in Beijing - 274 miles from Jinan.
- The Hackers' Techniques. The article mentioned the hackers use of a Remote Access Tool (RAT). One such widely used tool is called GhostRAT. The fact that it was used in an attack against the Dalai Lama in 2008 (GhostNet) doesn't mean that all of the later attacks which used this tool originated with the same group. In fact, even the GhostNet researchers refrained from attributing this attack to China's government.
- Another tool whose use is often blamed on Chinese hackers is the "xKungFoo script". Like GhostRAT, the xKungFoo script is widely available for anyone to use so even if it was originally created by a Chinese hacker, it doesn't mean that it is used by Chinese hackers in all instances. I personally know Russian, English, and Indian hackers who write and speak Chinese.
- The Wen JaiBao Argument. Mandiant believes that the hackers gained access to the New York Times network around September 15, 2012, during the time that the Wen story was being researched. We also know that the hackers gained access to the emails of the Times Shanghai Bureau Chief David Barboza and it's South Asia Bureau Chief in India Jim Yardley. Does this mean that China was responsible? Maybe it does, but the Wen story could have been a coincidence. Check out how many stories Mr. Barboza and Mr. Yardley worked between August and December, 2012 - several dozen between the two of them.
- Asian politics and economics are pivotal in some way to every developed and developing nation in the world. And the New York Times has its finger on the pulse of that region. The list of potential culprits who could have breached the Times network for information on Asia is far longer than just China.
- Posted 16 hours ago by Jeffrey Carr
China/NYT whodunit by Jeffrey Carr
a guest Jan 31st, 2013 267 Never
RAW Paste Data