By Shyam Sankar and Gabe Rosen
The Internet is the new Wild West, a frontier big enough for every pioneer and outlaw to roam free. Today, The New York Times revealed that hackers in China had spent the last four months infiltrating its computer systems and pilfering employee passwords. As in the old West, it’s not a question of if you’ll be hit — but when and how. Online, primitive DDOS attacks rain down like arrows, while artful hackers can steal the data equivalent of 5,000 head of cattle before any breach is detected. There’s no choice but to defend the homestead as best you can – and retreating to civilization is no longer an option.
According to Mandiant, the infosec firm that conducted the investigation, the Times was first compromised on September 13. The attackers established at least three backdoors and installed 45 pieces of malware, only one of which was detected by Symantec security software. After two weeks, the attackers found the domain controller that contained all staff passwords. Times executive editor Jill Abramson maintains there is “no evidence that sensitive emails or files” were accessed, yet the investigation found that the attackers “created custom software that allowed them to search for and grab [Times journalists] Mr. Barboza’s and Mr. Yardley’s e-mails and documents.”
As the TED Blog recently recounted, we know a bit about this sort of thing at Palantir. Our platform was used to investigate “GhostNet”, a Chinese cyber espionage network. In 2008, an unnamed country received an email from China warning them not to host the Dalai Lama for a scheduled visit. The email was startling because this visit was not public knowledge. The country sought to find out how this sensitive information had been leaked. Not only the Dalai Lama’s personal computer been hacked, but 1,300 computers across the globe had been infected in the same way. This network had been operating for two years without notice.
Naturally, when we heard about The New York Times hack today, we looked for parallels. The Dalai Lama’s office was infiltrated by “spear phishing” — where hackers research a person and create an email, with an attachment, that looks like it came from a confidant. Spear phishing is suspected, though not confirmed, in the Times attack. Like GhostNet, the Times attackers covered their tracks through intermediaries in numerous countries, and employed remote access tools (RATs) and malware. The attacks also appear related to Chinese political sensitivities, though the exact loyalties in play are murky.
While it’s important to resist easy conclusions, Occam’s razor and common sense shouldn’t be ignored. The difficulty is that positive attribution is rare in cyber warfare, so when something looks like the work of someone who was never actually identified, it may not be exceptionally meaningful. As open-source sleuth Jeff Carr points out, there are several doubts. Beijing’s time zone includes numerous other cities. The attacks were ultimately traced to Chinese IPs, though their geo-locations encompass millions of people. The attackers used RATs, but these are widely available and hardly confined to China. According to Richard Bejtlich, Mandiant’s chief security officer, “When you see the same group steal data on Chinese dissidents and Tibetan activists, then attack an aerospace company, it starts to push you in the right direction.” Given the vast spectrum of potentially interested parties, it’s a very general direction – but it’s a start nonetheless.
The lack of clear answers notwithstanding, Mr. Bejtlich is certainly correct that cyber defense “requires an internal vigilance model.” You have to sleep with one eye open, and preoccupation with one mode of attack leaves you vulnerable to others. As in the old West, it’s essential to make common cause with your neighbors, however distant. During the recent spate of suspected Iranian DDOS attacks, two global Top 20 banks shared threat data in real time with each other as well as US law enforcement, and collaboration across public/private lines is essential to countering the matrix of state and non-state combatants.
Above all, we need to adopt a Wild West approach of our own. The sheriff’s only hope is to become as swift, resourceful, and adaptive as the outlaws.
Shyam Sankar is the Director at Palantir Technologies. He gave the TED Talk “The rise of human-computer collaboration” at TEDGlobal 2012, as well as the talk embedded above at TED2010. Gabe Rosen works in Business Development at Palantir.