After publishing an investigative report on Chinese Premier Wen Jiabao’s family finances last October, The New York Times was the victim of a prolonged four-month hacking scheme that may have originated from state-sponsored hackers.
The newspaper published on Thursday a detailed look at the hacker’s methods compiled after hiring security experts at Mandiant to track them.
At one point, the intruders managed to gain access to the passwords of every Times employee. However, the attackers appeared to be specifically targeting Shanghai bureau chief David Barboza, who wrote the original report on Wen’s relatives.
The paper said that it warned AT&T last October to monitor its network for unusual activity after receiving a veiled threat from Chinese officials that its actions would “have consequences”. The report did incur an official response, as the Times’ site was blocked by the country’s Internet filter after the report and remains blocked to this day.
The day that the exposé was published, AT&T informed the Times that it had detected an attack in the same pattern as previous hacks believed to have come from the Chinese military. Extended monitoring revealed that the attackers would often begin their intrusions at 8am China time and continue for a standard work day.
Though the Times is unclear exactly how the hackers made their initial intrusion, it believes that they sent emails to employees with malicious links to “Remote Access Tools” that would give them control.
“Attackers no longer go after our firewall. They go after individuals. They send a malicious piece of code to your email account and you’re opening it and letting them in,” the paper’s chief security officer said.
After looking back further, the Times claims to have found evidence that the first attack began as early as Sept. 13. Once they had gained access, they installed software meant to capture Barboza’s email documents as he wrapped up his report. It is believed that the hackers were looking for the names of his sources.
When the Times approached China’s Ministry of National Defense with its evidence that the hackers were traced back to China and possibly the military, the agency noted that actions that damage Internet security are illegal.
“To accuse the Chinese military of launching cyberattacks without solid proof is unprofessional and baseless,” a Ministry official said.
Bloomberg also appears to have fended off similar attacks after publishing its own investigation into the finances of incoming leader Xi Jinping’s relatives last year. The news agency’s site was also blocked in China following its report.
A Bloomberg spokesperson told the Times that “no computer systems or computers were compromised” during the attacks.
Direct evidence linking Chinese hackers to the government has yet to emerge, but many security experts believe that the government is behind the operations. At the least, attacks originating from China are often in-line with the state’s aims.
Last September, cyberattackers targeted Japanese government sites during a territory dispute between Japan and China. The US Chamber of Commerce was infiltrated in 2010 and is believed to have originated from China. Google left the Chinese search market in 2010 after Chinese hackers stole some of its code, allegedly in an effort to gain access to the accounts of Chinese human rights activists.
China has revealed that, however, it does have a “Blue Army” trained in advanced cyberwarfare, but it claims that the group is focused on self-defense and won’t initiate attacks on anyone. Phew, I guess.
Image credit: Mario Tama / Getty Images