Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


NYT, WSJ Hacks Scrutinized By Security Community

China is again being blamed, but security experts criticize the lack of evidence, call on the media outlets to release full details of the attacks.

Chinese hackers breached the network of the The Wall Street Journal as part of what's been dubbed a broader "cyberspying" campaign against U.S. media.

The Journal discovered the breach after being notified by the FBI that it had seen data that appeared to have been stolen from the Journal's Beijing bureau. After the Journal hired a firm to conduct a digital forensic investigation, it found that the newspaper's systems had been breached -- first in Beijing, and then globally.

The Journal's self-published account of the attacks failed to specify the length of time that attackers might have had access to the paper's network. Instead, the story made general allusions to an FBI investigation into media hacking incidents, which began more than a year ago, and is being treated as a national security matter. Likewise, the newspaper's account made general reference to the fact that many security experts believe that "a foreign entity" has been attempting to compromise U.S. companies' security.

[ How do you define cyber warfare? Read Uncertain State Of Cyber War. ]

The Journal also noted that investigators hadn't been able to identify all of the Journal information that attackers may have accessed. After discovering the breach and watching what information attackers accessed, however, the investigators hired by the Journal said the targets appeared to be a handful of journalists in its Beijing bureau, including the bureau chief.

"Evidence shows that infiltration efforts target the monitoring of the Journal's coverage of China and are not an attempt to gain commercial advantage or to misappropriate customer information," said Paula Keve, a spokeswoman for Journal publisher Dow Jones, which is part of News Corp., in a written statement Thursday.

The Journal's Thursday story that it had been the victim of a sustained hacking effort, seemingly aimed at amassing intelligence about the stories that the paper was writing -- and likely the identity of reporters' Chinese sources, mirrors a Wednesday story published by the The New York Times, which said it, too, had been the victim of a sustained hacking campaign that sought information, rather than business secrets.

Is the Chinese government behind the attacks? Multiple China watchers have hypothesized that the attacks may have been an effort by Chinese officials to try and manage the country's global image.

But Chinese government officials have denied having any part in the hacking. "It is irresponsible to make such an allegation without solid proof and evidence," Chinese Embassy spokesman Geng Shuang said, according to the Journal. "The Chinese government prohibits cyberattacks and has done what it can to combat such activities in accordance with Chinese laws."

But chief research officer at F-Secure Mikko Hypponen thinks China was likely involved. "I believe the attack against New York Times did genuinely come from China as a reaction to their reporting," he told TechWeekEurope. "It might be impossible to prove that, though."

The Times and Journal reporting has provoked skepticism -- and not just about the supposed Chinese tie -- from multiple security experts, with Robert David Graham, CEO of Errata Security, criticizing the Times' account of how the Times was hacked, saying it "contains no content" about the actual hacking. "It may be true that the NYTimes was targeted by the Chinese government, but the story cites no credible evidence supporting that conclusion," he said in a blog post. "What the story does cite is the conclusion from 'security expert.' But it waves hands over which specific expert made which specific claim. It's hard judging who they are, their expertise or the evidence that leads them to make that conclusion."

Noting that the story also contained a number of inaccuracies on the information security front, he called on the Times to come clean and publish everything it knows. "Dump the password hashes the hackers stole, the exact malware samples, the list of proxy IPs and so on. Then, instead of having to take the 'expert's' word, we can look at the raw data ourselves," he said.

One fact that's not been disputed was the apparent malware-blocking success rate -- just 2% -- experienced by the Times against its advanced persistent threat (APT) attackers. That squares with a study recently published by security firm Imperva and the Technion Israeli Institute of Technology, which found that most antivirus software detects about 5% of new malware, though it can take approximately four weeks before in-the-wild malware gets spotted. "Although vendors try to update their detection mechanisms, the initial detection rate of new viruses is nearly zero," according to the study. "We believe that the majority of antivirus products on the market can't keep up with the rate of virus propagation on the Internet."

The Times hasn't come clean about what security strategies it previously had in place, although a statement released by its antivirus vendor, Symantec, suggested that the Times relied on little more than signature-based antivirus products. On a related note, the Times' account of the hacking published Wednesday said that the paper had recently overhauled its security infrastructure. Meanwhile, the Journal's hacking story said that paper had finished a network security overhaul Thursday.

Based on the breaches, "here's the message for security: rebalance the security portfolio," said Rob Rachwald, director of security strategy at Imperva, in a blog post. "Use free antivirus and spend some money modernizing your security strategy."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Andrew Hornback
Andrew Hornback,
User Rank: Apprentice
2/5/2013 | 6:11:54 AM
re: NYT, WSJ Hacks Scrutinized By Security Community
Now, hold on, wait a minute...

A breach at a media outlet is a "national security matter" - since when? Does the WSJ have access to state secrets or is this simply an over-dramatization (which one certainly wouldn't expect from the WSJ)?

If China is behind this and possibly looking to prosecute sources, are there any American lives in danger? Why hasn't the State Department and CIA been engaged?

One has to wonder about the push behind the sensationalism... smokescreen for something else? Conspiracy theories anyone?

Andrew Hornback
InformationWeek Contributor
Drew Conry-Murray
Drew Conry-Murray,
User Rank: Ninja
2/4/2013 | 10:21:22 PM
re: NYT, WSJ Hacks Scrutinized By Security Community
Hmmm. Things might get interesting now that the attackers have gone after a Rupert Murdoch property. He strikes me as the type who likes to punch back.

Drew Conry-Murray
Editor, Network Computing
User Rank: Ninja
2/4/2013 | 11:58:08 AM
re: NYT, WSJ Hacks Scrutinized By Security Community
yep, we need details. what o/s were they running ? XP ? if they were running XP, oh well. Get over it: the boat sank.
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
US Counterintelligence Director & Fmr. Europol Leader Talk Election Security
Kelly Sheridan, Staff Editor, Dark Reading,  10/16/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-21
Prior to 0.10.0-beta, LND (Lightning Network Daemon) would have accepted a counterparty high-S signature and broadcast tx-relay invalid local commitment/HTLC transactions. This can be exploited by any peer with an open channel regardless of the victim situation (e.g., routing node, payment-receiver,...
PUBLISHED: 2020-10-21
Prior to 0.11.0-beta, LND (Lightning Network Daemon) had a vulnerability in its invoice database. While claiming on-chain a received HTLC output, it didn't verify that the corresponding outgoing off-chain HTLC was already settled before releasing the preimage. In the case of a hash-and-amount collis...
PUBLISHED: 2020-10-20
Cross-site request forgery in Nagios XI 5.7.3 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link.
PUBLISHED: 2020-10-20
Improper neutralization of special elements used in an OS command in Nagios XI 5.7.3 allows a remote, authenticated admin user to execute operating system commands with the privileges of the apache user.
PUBLISHED: 2020-10-20
Improper neutralization of argument delimiters in a command in Nagios XI 5.7.3 allows a remote, authenticated admin user to write to arbitrary files and ultimately execute code with the privileges of the apache user.