News that China (allegedly) hacked into the computer networks of two of America’s most prominent newspapers should surprise no one. Major powers have always practised major spookery, espionage is done online now and hackers generally have the upper hand.
The New York Times report of its own victimhood is a textbook case study of how an organisation gets hacked. Indeed, countless organisations have experienced the same scenario in recent years. The best-known are the Operation Aurora attacks of 2009 against Google, who went public, and dozens of others including defence contractor Northrop Grumman and tech firms Adobe, Juniper Networks and Symantec. But it’s big news this time because journalists were the targets.
The NY Times hack probably started with spear phishing. Not the dodgy-looking phishing emails spammed out by the million in an attempt to get your banking password, but something precision-targeted for each individual recipient. They’d look exactly like an email from someone they trust about subject of known mutual interest. An infected file, or a link to an otherwise legitimate website that’d been infected for the day, would have then planted malicious software (malware) on the recipient’s computer — malware written just for this attack, so anti-virus defences wouldn’t know it was bad.
Now under Chinese control, those computers became a basecamp from which the spies explored The NY Times network over the next four months.
The apparent targets were journalists investigating the relatives of China’s prime minister, who’ve accumulated fortunes of several billion dollars. In China, the reputation of the leader is the reputation of the state, and the intelligence services have long tried to manipulate China’s image abroad. The NY Times journalists’ emails might reveal their sources, who could then be targeted for intimidation or worse. It wouldn’t be the first time: the Operation Aurora attack on Google was in part aimed at breaking into the Gmail accounts of Chinese dissidents.
China isn’t alone here, of course. Western spooks would presumably want a heads up of any news that might require a PR counterattack. Western and other spooks are certainly conducting espionage and even sabotage of their own. Witness the Flame espionage worm that was loose in Middle East computer networks for years before being discovered mid-2012, or the presumed US-made Stuxnet worm that damaged Iran’s uranium enrichment program.
All this stuff is precisely the cyber espionage that we keep being told to be worried about. The head of the US National Security Agency, General Keith Alexander, has called it the “greatest transfer of wealth in history” — a piece of hyperbole provided by Dmitri Alperovitch in 2011, then head of threat research for security firm McAfee, when he uncovered Operation Shady RAT, another presumed-Chinese espionage program.
While that description may be over the top, there’s certainly plenty of spookery going down online. It’s cheap, it’s effective and the attackers are winning.
Flame was billed as “the world’s most complex malware”, for example, but simple analysis suggests it can’t be. It was probably written by a team of fewer than 20 people. Western defence contractors have been hiring software engineers to develop top-secret malware by the thousands, and China by the tens of thousands.
The customisation of malware for specific targets is cheap and usually at least semi-automated. In The NY Times attack, 44 different varieties of custom malware were used. Even criminals after your credit card use each individual malware type for just minutes, tossing it before the defenders’ automated anti-virus systems learn how to detect it.
Once the bad guys have broken in, they usually have plenty of time to explore. Verizon Business’ latest Data Breach Investigation Report showed that 54% of breaches weren’t discovered until “months” after the initial attack, and another 29% took “weeks”.