There aren’t many things that count as surprises anymore in the security industry. And the news today that The New York Times was penetrated by a team of Chinese attackers who apparently had access to large amounts of employee emails for several months certainly doesn’t fall into that category. It would be news if these attackers weren’t targeting The Times and other large media companies. What’s interesting and novel is that the company decided to out itself as a victim, signing up for what may be a large dose of public scorn and derisive laughter.
There are a number of ways that one can look at The Times hack, and they run the gamut from an indifferent shrug to casual interest to some kind of outrage. The chosen response likely has a lot to do not just with your knowledge of the threat landscape, but also with your thoughts on how victims of these kinds of attacks should handle them. For most people who follow events in the security world on even a somewhat regular basis the attack on The Times will be just another headline. Attackers from China are suspected of having run similar operations against U.S. defense contractors, military networks and dozens of large enterprises in the last few years. This is simply one more brick on the pile.
Casual observers, on the other hand, may read the story and think, How can such a large and financially successful company not have better security? It’s a version of the same question that people ask after every one of these publicly disclosed attacks: How can the Pentagon/Google/RSA get hacked?
The answer, of course, is that everyone can be hacked.
The Times was targeted apparently because of a story the paper had published that was unflattering to the Chinese government. Soon after the story ran in October, attackers began targeting the company with what turned out to be a months-long campaign in which they succeeded in stealing the corporate passwords for every employee of the paper. Quite a nice haul. But outside of the name of the victimized company, it’s not anything that would make security people sit up and take notice.
The reaction from The Times officials is what’s been quite interesting. The company didn’t simply issue a one-paragraph press release or note for investors. That might have been the route they took had the attackers gone after customer data rather than employee emails, but the nature of this attack and the way that it affected the company were somewhat unusual.
Now, one could argue that the paper took the approach that it did because it is a media company and news is news. A sexy story about Chinese APT attackers targeting Times journalists in retaliation for investigative reporting is sure to draw some eyeballs. Dole out some carefully chosen details, leave a lot of others out, and sell a bunch of papers.
Certainly The Times piece is light on the technical details of the attack, simply talking about what sounds like a typical spear-phishing attack that used compromised PCs in other organizations as staging points. That’s the way these things work, and the company didn’t break any new ground with those bits of information. But what officials at The Times may have done is shown the way for other companies that find themselves in a similar situation. No longer do victimized organizations need to sit still and say nothing, hoping that the details of an attack will never come out. The days when companies are painted as negligent or careless simply for being hacked appear to be retreating.
This is a good thing. As Adam Shostack points out in his post on the attack, this could be the beginning of something new.
“Me, I believe it’s culture change, but am aware of the risk of confirmation bias. When I think back to 2008, I think the peanut gallery would have been pointing and giggling, and I think we’re over that,” he said.
I think he’s right. But there is more change needed. The Times should provide more technical details about the attacks, giving security teams at other likely targets the ability to learn from any mistakes and analyze the response from the company’s staff. Details about the initial phishing emails would be helpful, as well, to give the rank and file employees the chance to identify malicious messages and an idea of what to do about them. And maybe that will be forthcoming. But even if not, this is a good step and seeing that The Times took that step should give other companies the courage to do likewise.