Submission + - Inside the Targeted Attack on The New York Times (threatpost.com)
“In terms of statistics, 45 [custom malware samples] as a ratio to the number of computers involved, 53, is a high ratio,” said Richard Bejtlich, chief security officer of Mandiant, the forensics firm hired by the Times to investigate the targeted attack. “Usually, you’ll see one or two for the relatively small number of systems involved.”
Bejtlich said his company’s investigators were able to match the activity used in this attack to a particular group of Chinese attackers using a suite of indicators of compromise that Mandiant has built over the years.
“We identify systems with problems and collect forensic artifacts and match those with threat groups we’ve been tracking for years to see if they match,” he said. “We look for certain tools or command and control infrastructure that are earmarks used by certain groups. Then we’ll go through a second process to see if we can narrow that down.”