After the New York Times took four months to repel an attack by Chinese hackers, data security experts tell Channel 4 News it marks a trend towards cyber espionage in the “third era” of cyber crime.
When the New York Times published an investigation into the $2.7bn amassed by the Chinese premier Wen Jiabao, the publisher must have had an inkling it had hit a raw nerve.
Access to the site was promptly blocked in China – both English and Chinese editions – on 25 October, the day of publication.
Then, on 30 January this year, the newspaper announced that it was hacked in the lead-up to the investigation – and it took four months to successfully get rid of the attackers and keep them out. The email accounts of both reporter David Barboza, who authored parts of the investigation, and the paper’s south Asia bureau chief, were singled out for hacking.
This kind of “spear phishing” attack, where hackers send targeted emails which look like they are from a colleague or friend, is nothing new. For the cloud security company Trend Micro, 94 per cent of attacks they deal are a result of it.
But whereas they used to be aimed at making money, from credit card fraud for example, now the purpose is to steal data.
“There do appear to be more and more reports of hackers breaking into organisations, not to make money, but actually to steal information,” Graham Cluley, Sophos senior technology consultant, told Channel 4 News. “This is the third era of cyber crime”.
It’s a lot cheaper that parachuting a James Bond character in. It’s very hard to prove who is behind this, and it’s very easy to hide your true location. Graham Cluley, Sophos
The New York Times in this case lays the blame squarely at the Chinese government, because it “closely matched the pattern of earlier attacks traced to China,” such as the attack on Google in 2010 and the Gmail accounts of Chinese human rights activists.
This did not go down very well. “Chinese laws prohibit any action including hacking that damages internet security,” an official said, adding that the accusation, without solid proof is “unprofessional and baseless”.
Read more: China admits cyber warfare unit
But even if it was behind the attack – which the motive and the hacking pattern suggest – China is by no means the only country to embrace malware.
Intelligence agencies around the world have done so: the stuxnet attack on Iran in 2010, for example, which marked a sea change in the use malware software as the first weapon made out of computer code, appears to have been written by the United States and Israel.
“The truth is, you never know who is behind it,” says Mr Cluley – precisely the reason why these kind of attacks are so favoured. “It’s a lot cheaper than parachuting a James Bond character in. It’s very hard to prove who is behind this.”
It is also easier to hide: “The beauty of malware is that it isn’t always obvious that it’s been stolen,” adds Mr Cluley. “If you copy database, or 20GB of emails, it hasn’t actually disappeared from the computer.”
What marks out the Times attack, The Register’s security correspondent John Leyden told Channel 4 News, is that it was “better disguised and more ambitious”. It reached the NYT via computers at US universities, which the publishers’ security analysts said was an attempt to cover up the fact it came from China, and it was targeted at everyone in the news organisation.
And it shows how difficult it is to guard against spear phishing. Attackers can send hundreds of spear emails over weeks and months, but all they need is one click from one user to get their foot in the door. At the New York Times, attackers installed 45 pieces of custom malware in three months – during that time there was just one instance where its anti-virus software identified an an attack as malicious and quarantined it.
“We used to try and design security,” Rik Ferguson, VP of security research at Trend Micro, told Channnel 4 News. “The purpose was to keep the bad guys out. We would say, ‘I’m going to build such a big castle that bad guys can’t get in’.
“Now, you have to live with knowledge that you will be hacked. You must accept it will happen, and then deploy resources…so that you’re aware of what happened.”