Symantec Gets A Black Eye In Chinese Hack Of The New York Times

Having your email hacked and malicious software spread on your servers for months may be embarrassing. But being outed as the antivirus vendor that failed to catch the vast majority of that malware is likely more humiliating still.

The New York Times reported Wednesday that the paper has been the subject of a sophisticated attack by Chinese hackers for the last four months, following its reporting on the private wealth of China’s prime minister Wen Jiabao. The story offers a rare and detailed post-mortem of what appears to be the work of a team of well-trained infiltrators who systematically and stealthily gained access to and collected the news outfit’s private information as the paper dug into a subject perceived as highly sensitive by the Chinese government.

One fact, however, will be of particular concern to the world’s largest antivirus firm, Symantec: Out of the 45 different pieces of malware planted on the Times‘ systems over the course of three months, just one of those programs was spotted by the Symantec antivirus software the Times used, according to Mandiant, the data breach response firm hired by the Times. The other 44 were only found in Mandiant’s post-breach investigation months later, according to the Times‘ report.


Symantec, which sells the widely-used Norton Antivirus, declined to comment for the Times‘ story, citing a policy of not speaking about clients’ cases, and the company didn’t respond to my request for comment either.

Update: A Symantec spokesperson seems to have responded in the comments below.

It may come as little surprise that antivirus programs largely fail to detect the type of custom-built malware the Times‘ hackers used, as opposed to previously-seen strains of malicious software often re-deployed by less sophisticated cybercriminals. A study by the Times‘ breach response firm, Mandiant, in 2010 found that only 24% of the custom malware it found on its clients’ systems had been detected by antivirus.

Another analysis performed by the security firm Imperva along with the Technion Israeli Institute of Technology found that antivirus managed to detect only 5% of new threats, and that it took an average of four weeks for antivirus firms to identify a new piece of malicious code. “Although vendors try to update their detection mechanisms, the initial detection rate of new viruses is nearly zero. We believe that the majority of antivirus products on the market can’t keep up with the rate of virus propagation on the Internet,” their paper reads.

Symantec’s track record in the Times appears worse still. But it’s worth noting that its peers would likely have been equally useless: The security firm actually outperformed most of its competitors in the most recent tests by German antivirus testing firm AV-Test, which gave Symantec a rating of 5.5 out of 6 for protection of Windows 7 in its latest enterprise antivirus analysis, a better score than McAfee, Kaspersky, or Microsoft.

It’s not clear exactly what lesson companies can draw from the Times‘ penetration. The paper’s chief security officer Michael Higgins says he suspects the breach began with a highly-targeted email sent to unwitting employee and containing an infected link or attachment–a difficult sort of attack to prevent. But at the very least, it shows that antivirus protection alone barely represents a speed bump to determined hackers.

Read the Times‘ full story about its hacker infiltration here.

Source
by Andy Greenberg