As of August, the New York Times (NYT) and other U.S. publications had fallen victim to cyber attacks. The FBI is investigating these attacks, which likely Russian intelligence hackers perpetrated on several reporters and journalists who work for U.S. news organizations, including the NYT.
Though the NYT reported that the hacks did not actually compromise their data this time, it is clear that other attempts at cyber invasions into the famed New York newspaper’s network, by Chinese hackers in particular, have been successful.
Absent specifics about how the hackers tried to retrieve emails and data from the NYT, let’s look at some probable avenues of attack and the associated security solutions.
The NYT hack
The malware attacks on email could well have been the same or similar to what hackers used in the DNC hack, which was very advanced, complex, and difficult to detect, until the hackers themselves disclosed their findings and the attack. Because the NYT office was in Moscow, Russia, local hackers could easily have provided reporters with compromised networking equipment, including routers, making it easy for them to snoop on reporter emails.
Russian hackers could also have listened in using hardware inside the Russian telecom companies that transmitted the reporters’ emails. They could even have compromised reporters’ logon information using Phishing attacks and VPN software compromises.
How press organizations and others can avoid the same fate
The malware the hackers used in the DNC hack included XTunnel, which enabled outbound connections from the DNC network to Command and Control (C&C) servers that the Russian hackers operated. XTunnel was new malware that malware coders designed and wrote specifically for these attacks; there were initially no anti-virus or anti-malware signatures for XTunnel.
The kind of attack scenario hackers used here calls for fine-grain inspection of outbound traffic as well as behavior-based protections, which work well despite the lack of malware signatures.
Outbound network security can include IDS/IPS, Domain Name System (DNS), Logs, and Web Proxies. IDS/IPS can detect outgoing traffic that Remote Access Trojans (RATs) send and outbound connections going to command and control servers. Information technology security can add DNS protections that help detect and put a stop to malware that automatically uses recurring sequences of domain names.
Keeping tabs on logs inside centralized authentication systems enables information technology security to spot abnormal logon behaviors. These behaviors include the appearance of many errant logon attempts in a short period of time and people logging in at times when they typically would not. Web proxies enable security to decrypt and inspect outbound HTTPS traffic that could be part of an attack.
In the case of the NYT, hackers could have programmed compromised or hostile networking equipment to read the source and destination network addresses and route the packets to a hostile computer, enabling them to read reporter emails and documents.
VPNs provide encrypted connections that enable data to move safely through hostile networking equipment. But make sure to patch any VPN software vulnerabilities as soon as possible as hackers can skirt the encryption by leveraging those software flaws.
To ensure you don’t let hackers right in the front door, use the best in anti-Phishing protections to keep them from grabbing up your users’ logon information.
Read about continuous monitoring and traffic anomaly detection that stops data loss