The New York Times was the victim of an elaborate hacking attack from China, according to a report in Wednesday's Times. The attacks, which have been on-going for the past four months, were apparently in retaliation for an article the Times published about the vast wealth accumulated by Chinese Prime Minster Wen Jiabao's family.
Hackers first gained access to the Times's system on September 13th, but the breach wasn't noticed until October 26th, the day after the article was published and two days after the Times had asked AT&T to monitor its network for any unusual activity. The paper first became suspicious after receiving warnings from the Chinese government that, if their investigation continued, they would "have consequences." It wasn't until November 7th that the Times realized the hackers were still in their network, at which point they hired Mandiant, an outside computer security company, to investigate.
Experts believe the hackers initially gained access via spear-phishing attacks — emails to employees containing links or attachments that contained malware — that gave them access to user's passwords and keystrokes. Once those were obtained, the hackers targeted the email accounts of David Barboza, who wrote the article about Wen's relatives, and Jim Yardley, The Times's South Asia bureau chief. To do so, the hackers created a custom software to download the reporters' documents and emails from the Times's server, apparently looking for information about Barboza's sources, which the paper says was based on public records.
"Computer security experts found no evidence that sensitive e-mails or files from the reporting of our articles about the Wen family were accessed, downloaded or copied," said Jill Abramson, executive editor of The Times.
Editors were concerned the hackers might attack the paper's website and publishing system during the presidential election, but those fears proved to be unfounded; the hackers' only target, apparently, was Barboza's email.
"They could have wreaked havoc on our systems," said Marc Frons, the Times's chief information officer. "But that was not what they were after."
In order to maintain secrecy and, as the Times put it, to allow the Chinese military "plausible defensibility," the hackers launched their attacks from various computer systems registered to U.S. universities. The attackers also regularly switched IP addresses, making it difficult to track attacks to a single group.
"If you look at each attack in isolation, you can't say, ‘This is the Chinese military,' " said Richard Bejtlich, Mandiant's chief security officer.
But when the techniques and patterns of the hackers are similar, it is a sign that the hackers are the same or affiliated.
"When you see the same group steal data on Chinese dissidents and Tibetan activists, then attack an aerospace company, it starts to push you in the right direction," he said.
China's Ministry of National Defense denied the attacks, saying, "Chinese laws prohibit any action including hacking that damages Internet security," and adding, "to accuse the Chinese military of launching cyberattacks without solid proof is unprofessional and baseless."
The Times believes the hackers are now out of their system, a feat they accomplished by blocking access to their network from select outside computers, changing every employee password and adding additional security. However, security experts were quick to say more attacks were likely. "This is not the end of the story," said Mr. Bejtlich of Mandiant. "Once they take a liking to a victim, they tend to come back. It's not like a digital crime case where the intruders steal stuff and then they're gone. This requires an internal vigilance model."
All told, the hackers stole every employee's corporate password, using them to infiltrate the personal computers of 53 employees. According to the Times, no customer information was accessed during the attacks.
[Image via AP]