Chinese hackers penetrated and had free rein inside the New York Times' computer systems for at least four months this past fall, the newspaper revealed in a detailed front-page story today (Jan. 31).
The hackers were apparently seeking information about the sources used for a Times exposé on the family of Chinese Prime Minister Wen Jiabao, the Times said. The exposé, published Oct. 25, said that Wen's relatives had secretly built up billions of dollars in assets.
What's noteworthy is that the Times directly accuses China and lays out the evidence. Other than Google, few of the hundreds of Western companies, governments and organizations that Chinese state-sponsored hackers have attacked over the past five years have been so forthright.
"If you look at each attack in isolation, you can't say, 'This is the Chinese military,'" Richard Bejtlich, chief security officer of Mandiant, told the Times. "[But] when you see the same group steal data on Chinese dissidents and Tibetan activists, then attack an aerospace company, it starts to push you in the right direction."
Mandiant, an Alexandria, Va.-based firm that specializes in helping companies recover from digital attacks, was brought into the Times' investigation after two weeks of efforts by AT&T, the Times' regular Internet service provider, to purge the network invaders had failed.
The Times story about the attack was also published online in Chinese.
Anatomy of an attack
The Times said the Chinese penetrated the company network on Sept. 13 of last year, as Shanghai bureau chief David Barboza was gathering evidence for the story on Wen Jiabao's family.
It's not clear how the attackers got in, but previous successful Chinese attacks have used spear-phishing emails, which target specific individuals within an organization.
Spear-phishing emails typically bear corrupted attachments that pretend to be items of interest to the targeted individuals. When opened, the attachments install remote-access Trojans, or RATs, that allow further penetration into the organization's network.
Mandiant found the attackers initially set up shop on three desktop computers inside Times headquarters. From there, the attackers penetrated the network's security hub and found the usernames and passwords of every single Times employee.
The passwords were encrypted, the Times said, but the attackers cracked them all and gained access to the computers of many Times employees outside the newsroom, including Barboza and Beijing bureau chief Jim Yardley.
On Oct. 24, one day before the Wen story was published, the Times began to brace itself for Chinese attacks. But the hackers had already been inside the company network for six weeks.
The case against China
Management was especially worried the attackers might shut down publishing systems on Nov. 6, Election Day.
"They could have wreaked havoc on our systems," Times Chief Information Officer Marc Frons told the newspaper. "But that was not what they were after."
Instead, the attackers snooped around looking for the names of Barboza's sources. The Times insists all the information used to lay out the Wen family's business dealings came from public records.
To vacuum up information, the attackers deployed 45 pieces of customized spyware, Mandiant found.
Only one piece of the spyware was detected by the Symantec security software the Times was using, but that's not surprising; security software's main defense against unknown malware is at the network perimeter, and the hackers were already deep inside.
"Advanced attacks like the ones the New York Times described ... underscore how important it is for companies, countries and consumers to make sure they are using the full capability of security solutions," Symantec said in a press statement today. "Turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats."
Mandiant found that the attackers launched their attacks from compromised servers belonging to American universities and smaller Internet service providers. They usually operated during normal business hours in China.
Like all good hackers, the attackers frequently changed Internet Protocol addresses and used proxy servers to mask their origins, with the result that there was no definite way to trace the attack back to China.
Confronted by the Times about the attacks, the Chinese ministry of national defense called the accusations "unprofessional and baseless."
But, as with many attacks that seem to come from China yet create a veneer of plausible deniability, the circumstantial evidence is overwhelming.
Mandiant said the attack on the Times came from a Chinese hacking group that had used the same malware, the same methods, even the same compromised U.S. servers to attack hundreds of Western organizations, including American military contractors.
The case for the Times
Other frequent targets of Chinese hacker groups — Mandiant is tracking nearly two dozen — include Tibetan dissidents and Taiwanese and Japanese companies.
Many Western companies are reluctant to admit they've been hacked, let alone point a finger at who they think did it. News of attacks might scare off shareholders and investors, and accusations against Beijing might alienate potential Chinese business partners.
(New Securities and Exchange Commission rules insist that companies disclose attacks that might impact earnings, but few additional disclosures have resulted.)
But the New York Times, which although publicly traded, is controlled and operated by one family, has shown little such reluctance.
Last March, the newspaper's reporters traced another Chinese hacking group all the way back to a regional university in China, and even got one of the group's leaders on the phone. He refused to comment.