Symantec defiant after New York Times hackers evade antivirus defences

Only one Trojan detected, newspaper said

Symantec has offered a carefully-worded but defiant response to the news that one of its customers, the New York Times, was attacked by Chinese hackers with barely any intervention from its software.

Earlier today, the newspaper revealed that hackers probably connected to the Chinese military had spent four months trying to hack into the email accounts of dozens of its journalists, entering the network via compromised PCs.

Forensics carried out by the paper's security consultant Mandiant showed that the weapon of choice was 45 pieces of targeted Trojan malware, only one of which was detected by the installed Symantec antivirus software.

Clearly sensitive to the issue, Symantec's response has been to issue a statement implying that such sophisticated attacks could only be stopped using a layered security approach.

"Advanced attacks like the ones the New York Times described in the following article, underscore how important it is for companies, countries and consumers to make sure they are using the full capability of security solutions," read a statement.

"Turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats."

Symantec did not say whether the New York Times had access to those extra layers of security, nor why they would not have been configured if they had. Signature-based AV remains the core of most endpoint security.

It is unlikely that either side will want to be drawn into an embarrassing public argument and so no more will likely be heard of the matter.

Commenting on the hacks, BAE Systems Detica's Cyber Security MD David Garfield agreed that endpoint monitoring was no longer sufficient to protect organisations from targeted Advanced Persistent Threats or APTs that use Advanced Evasion Techniques (AETs) to hide.

"Organisations shouldn't ask what their security tools are telling them, but ask what they are not telling them; that can only be done by monitoring and analysing their networks for evidence of compromise," he advised.

The question, then, is less why Symantec's software didn't spot the attacks but how any conventional antivirus software could do a better job under the same pressure.

Tags symantecnew york timesPersonal TechMandiant

Show Comments