Microsoft Subnet An independent Microsoft community View more

Chinese hackers use compromised USA university computers to attack us

The New York Times, Wall Street Journal and Twitter were all recently hacked. The Chinese and other attackers continue to leverage compromised computers within the U.S. for those attacks, using them as proxies while trying to hide and hop IPs.

Let's say you have your email locked down so that it does an excellent job of identifying spam; people and businesses have their own folders or labels. Let's also say you have a rapid-fire delete finger for any email that doesn't fit nicely into the categories above. If an email goes into its corresponding folder and appears to come from a "trusted source" - be it a family member, business associate, corporation, or friend - would you open it? If it contained a document or a .PDF invoice, would you open it? If it included a link, would you click on it? Most folks would because it's "trusted," but that is a simplified description of "spear-phishing." When the New York Times announced that Chinese infiltrated its systems, NYT Chief Security Officer Michael Higgins said, "Attackers no longer go after our firewall. They go after individuals. They send a malicious piece of code to your e-mail account and you're opening it and letting them in."

Apparently, if you investigate and write about some drama in China, then you are a target. Unless you've been cut off from the Internet, then you probably know that after the New York Times went public about being hacked, the Wall Street Journal admitted it was also targeted by Chinese hackers. Journal publisher Dow Jones & Co. said "that the paper's computer systems had been infiltrated by Chinese hackers, apparently to monitor its China coverage."

Both the NYT and WSJ attacks were mentioned on the Twitter blog before users were told to change their Twitter password. "Our investigation has thus far indicated that the attackers may have had access to limited user information - usernames, email addresses, session tokens and encrypted/salted versions of passwords - for approximately 250,000 users." Twitter Director of Information Security Bob Lord added, "This attack was not the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked."

The New York Times detailed the attack, including how "hacker teams regularly began work, for the most part, at 8 a.m. Beijing time." You might be interested in checking out what time that is for you: When it's 8:00 AM in Beijing, then it is 7:00 PM EST, 6:00 PM CST, 5:00 PM MST and 4:00 PM PST.

Mandiant, the security firm that the Times hired, called this Advanced Persistent Threat (APT) "APT Number 12." The attack on the Times continued for four months. Mandiant's experts believe that the Chinese attackers used university computers as proxies and consistently hopped IP addresses in attempts to "hide the source of the attacks." We've seen this exact song and dance for years, when compromised PCs in the USA are used against us. Mandiant's investigators said, "To run their Times spying campaign, the attackers used a number of compromised computer systems registered to universities in North Carolina, Arizona, Wisconsin and New Mexico, as well as smaller companies and Internet service providers across the United States."

"There are thousands of computers compromising the United States at universities, at Mom and Pop shops - small organizations without a big cyber security program - and those computers serve as the beachhead to hack blue-chip American companies," Kevin Mandia, the chief executive of Mandiant, told CNN. Of the hundreds of successful Chinese attacks on organizations, over 90% of the victims that Mandiant has helped "really don't disclose that these attacks occur for fear of losing customer trust."

Over the course of three months, attackers installed 45 pieces of custom malware to spy on the New York Times. "Security experts found evidence that the hackers stole the corporate passwords for every Times employee and used those to gain access to the personal computers of 53 employees, most of them outside The Times's newsroom." Symantec anti-virus caught one deemed "malicious," about which Symantec said, "Turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats. We encourage customers to be very aggressive in deploying solutions that offer a combined approach to security. Anti-virus software alone is not enough."

In 2012, Reuters news service was hacked twice and Bloomberg admitted it too was targeted by Chinese hackers. The Wall Street Journal reported, "The U.S. Federal Bureau of Investigation has been probing media hacking incidents for more than a year and considers the hacking a national-security matter." However, the Times said that the FBI reportedly helped seal systems after a 2011 breach at the United States Chamber of Commerce. "But months later, the chamber discovered that Internet-connected devices - a thermostat in one of its corporate apartments and a printer in its offices - were still communicating with computers in China."

Folks often ignore the hacking threat to printers, but seriously how many of us would think about a malware-infected thermostat? Welcome to the Internet of Things where everything is connected online.

According to the New York Times, which gives much more detail about the attack than WSJ did:

To get rid of the hackers, The Times blocked the compromised outside computers, removed every back door into its network, changed every employee password and wrapped additional security around its systems.

In the last press meeting as Secretary of State, Hillary Clinton said that the Chinese "are not the only people who are hacking us." It's no surprise the Chinese denied that Beijing backs cyberattacks, but CNN stated that one report claimed that one in every three computer attacks in the third quarter of 2012 comes from China.

Even though Oracle has rushed out a Critical Patch Update that contains 50 new security fixes across Java SE products, it seems that if you eliminate one security hole, then attackers reach into their pocket and pull out another. We saw that with the espionage hacker gang 'Elderwood,' which reportedly has 'an unlimited supply of zero-day vulnerabilities.' From checking email and avoiding spear-phishing, to drive-by-downloads when cyber-surfing, be careful out there.

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies