The Chinese group behind the targeted attack on the New York Times was laser focused on accessing the email of a reporter and the newspaper’s former Beijing bureau chief to the point that it used an inordinate number of custom malware samples to get the job done.
“In terms of statistics, 45 [custom malware samples] as a ratio to the number of computers involved, 53, is a high ratio,” said Richard Bejtlich, chief security officer of Mandiant, the forensics firm hired by the Times to investigate the targeted attack. “Usually, you’ll see one or two for the relatively small number of systems involved.”
Bejtlich said the attackers were focused on accessing the journalists’ emails in order to learn more about the sources used in a Times article published Oct. 25 delving into alleged corruption involving prime minister Wen Jiabao and the close-to $3 billion fortune he has amassed since taking power. China has been strident in using such intrusions to monitor coverage of the country by U.S. media; the Wall Street Journal reported today that it too has been targeted by attackers from China.
Using that much malware enabled the attackers to maintain persistence within the Times network and be able to react quickly as the Times’ IT department and incident response teams from Mandiant would cut off access from particular IP addresses.
“They may have put tools on [53 computers], but there were hundreds of other machines they had access to,” Bejtlich said. “The number of machines they accessed was low because they were focused on the two individuals here.”
The reporter, David Barboza, and Jim Yardley, former bureau chief in China, both had their corporate email accounts compromised. The attackers also stole every Times employees’ corporate password in an incursion that lasted more than four months.
Executive editor Jill Abramson said no emails or files from the Jiabao story were accessed, downloaded or copied. Also, no customer data was compromised, officials said, adding that the attackers have been removed from the corporate network. The Chinese denied involvement in the attacks, a Times article today said.
Mandiant, however, has extensive experience in dealing with APT-style incursions from China and quickly pinned characteristics emanating from this attack on a particular group it had seen before. The group developed, or commissioned the development of, tools that would access the two individuals’ email accounts, as well as malware purpose-built for persistence and proliferation within the Times network, Bejtlich said.
“There’s no evidence this extended beyond the Times’ infrastructure. The credentials they had access to were domain credentials like those used for Windows domain,” Bejtlich said when asked if any personal home computers were attacked. “Home computers would not be part of that domain.”
The attacks ramped up with the Oct. 25 publication of the article; the Times said it was warned by Chinese government officials on Oct. 24 of consequences should the article be published.
The Times reached out to its carrier, AT&T, and asked to be alerted of suspicious activity on their computer network. On the 25th, AT&T said it was seeing activity that had similar characteristics to other attacks carried out by the Chinese government and military. Mandiant, which was hired Nov. 7, told the Times that compromised university computers in four states along with a handful of small business computers and ISPs were used to route the attacks to the newspaper.
As is the case with most targeted attacks, this one likely started with a spear-phishing email. Bejtlich said Mandiant has not been able to find a phishing email or site, though the company does suspect that was the initial infection vector. Likely, an employee was tricked into opening an infected attachment or click on a link to a malicious website that enabled the attackers to get onto the Times’ network with legitimate credentials. From there, investigators said, they were able to plant malware, including backdoors, which enabled the attackers to communicate with compromised computers.
Mandiant’s investigation concluded that the attackers were on the Times network for two weeks before finding the domain controller that managed corporate access to resources. Eventually they were able to crack Barboza’s email account and read messages and documents from the Times’ email server in an apparent attempt to get at the reporter’s sources, the article said.
Bejtlich said his company’s investigators were able to match the activity used in this attack to a particular group of Chinese attackers using a suite of indicators of compromise that Mandiant has built over the years.
“We identify systems with problems and collect forensic artifacts and match those with threat groups we’ve been tracking for years to see if they match,” he said. “We look for certain tools or command and control infrastructure that are earmarks used by certain groups. Then we’ll go through a second process to see if we can narrow that down.”
Mandiant labels APT groups with numbers, rather than use industry convention names such as Night Dragon. This particular group, APT 12, is very active and quietly targeting companies in the United States and Europe, unlike other groups that are loud and pervasive, and not necessarily as skilled such as the Comment Crew (APT 1).
“We see them targeting hundreds of organizations, but don’t attract attention or leave much of a footprint,” Bejtlich said. Such groups act on behalf of the Chinese government, which has targeted journalists in the past in an effort to understand how the country is perceived in the West and perhaps control the sources used by the media.
“The Chinese are desperate to know what others think of them first,” Bejtlich said. “They want to know what news organizations are reporting about them. They want to access the Gmail accounts of those who support dissidents. They’ve attacked think tanks because they want to know what the think tanks are recommending for policy.”
In the meantime, the Times was unique among organizations suffering targeted attacks in that it got out in front of the story with high-level details about the attack.
“I congratulate the Times for coming forward,” Bejtlich said. “It’s more important how you manage an intrusion. Let’s get to the point where it’s not shameful to have an intrusion. I would think twice about going after an adversary such as the Times because they might tell the world.”
*New York Times building image via henrivzq‘s Flickr photostream.