New York Times breached by Chinese hackers over four months

Chinese hackers accessed e-mails of reporters and stole employee passwords, with the timing of attacks coinciding with an investigative report on the wealth of Chinese premier Wen Jiabao's relatives.
Written by Ellyne Phneah, Contributor

The New York Times (NYT) said Chinese hackers had been "persistently" attacking the publication over the past four months, breaching the e-mail accounts of reporters and stealing employee passwords.

According to the US publication on Wednesday, the attacks coincided with the publication of an investigative report on the Wen family's finances last October, which claimed the family had accumulated at least US$2.7 billion in "hidden riches."

Security vendor Mandiant uncovered that the hackers breach e-mails of NYT reporters, stole password from employees and tried to mask their attack origin.

NYT had asked AT&T last October to monitor its network for unusual activity after receiving a threat from Chinese officials that its actions would "have consequences." The Times' site was blocked by the country's Internet filter after the report.

AT&T informed NYT it detected an attack that shared the same pattern as previous hacks believed to have come from the Chinese military. Further monitoring revealed the attackers would begin their intrusion at 8 a.m. China time and continue for a standard work day.

By November 7, 2012, when it was clear attackers were still inside the system, NYT hired Mandiant, a security vendor specializing in responding to security breaches. The publication allowed hackers to stay in the network for four months to identify every digital backdoor used by them. It then replaced every compromised computer and set up new defenses to keep the hackers out.

The publication is not sure how hackers made their initial intrusion, but believed e-mails with malicious links to "Remote Access Tools" had been sent to employees that would give them control.

Breached emails, stolen passwords, mask attack origin

The paper also claimed it found evidence the first attack began as early as September 2012. The hackers had broke into the e-mail accounts of Shanghai's bureau chief, David Barboza, who wrote the piece on Wen's family and Jim Yardly, the paper's South Asia bureau chief in India, who was the then-Beijing bureau chief.

Upon gaining access, the hackers installed software meant to capture Barboza's e-mail documents as he wrapped up his report. It is believed the hackers had been looking for the names of his sources, Marc Fron, NYT's CIO said in the report.

Mandiant also found that the hackers stole the corporate passwords of every NYT employee and used them to gain access to the PCs of 53 employees, most of them outside the NYT newsroom.

The attackers also tried to mask the source of their attacks by penetrating the computers at US universities first and routing the attacks through them, Mandiant added.

China is frequently the target of blame for attacks on other countries.

In October, Iran said it successfully blocked a cyberattack on the computer network of its offshore drilling platform, which it accused of being launched by China and Israel. The US also claimed China had been behind the March 2011 RSA attack and that China has been stealing "a great deal" of military data from US.

The Asian giant then pointed out that it was also a target for cyberattacks, and not the enemy in the fight against cybercrime. China has a cyberwarfare unit called the "Blue Army," but it claims the army's role is to beef up the country's defense capabilities and support its army's Internet security training.

Editorial standards