The effort involved the installation of 45 pieces of custom malware, built to compromise the paper’s computer systems and steal passwords – which it did, affecting 53 employees and reporters, the Times said in a report on the attack. But the paper was able to uncover the plot and carefully, without detection, investigate the hacks as they were ongoing, to best erect a defense for the future. In the process, it uncovered telling clues as to who may have been responsible.
While no group has claimed responsibility for the offensive, “the timing of the attacks coincided with the reporting for a Times investigation, published online on Oct. 25, that found that the relatives of Wen Jiabao, China’s prime minister, had accumulated a fortune worth several billion dollars through business dealings,” the paper’s Bits blog reported. The initial activity began in mid-September, while Times reporters were gathering information for their story.
And indeed, forensic evidence from Mandiant, the Times’ security consultant, suggests that the Chinese government had a hand in the matter. For starters, the Times said that the hackers’ methods have the same profile as those associated with the Chinese military in the past; to wit, they attempted to obfuscate their tracks by first infiltrating computers at US universities, then routing the attacks on.
Also, the initial targets were email accounts for the investigation’s author and associates: the Times’ Shanghai bureau chief, David Barboza, and Jim Yardley, The Times’ South Asia bureau chief in India, who previously worked as bureau chief in Beijing. As for the rest of the victims, Mandiant found that the passwords were used solely to seek information related to the reporting on the Wen family.
A spike in activity on the evening of the Nov. 6 presidential election raised concerns at the Times that the hackers were attempting a hacktivist-style shut down of its online and print operations to prevent it from reporting the election results – but that was not the case.
“They could have wreaked havoc on our systems,” Marc Frons, the Times’ chief information officer, told the Bits blog. “But that was not what they were after.”
What they were after however was information on the Times’ sourcing and informants for its investigation into the Premier. Fortunately, that effort appears to have failed.
“Computer security experts found no evidence that sensitive e-mails or files from the reporting of our articles about the Wen family were accessed, downloaded or copied,” said Jill Abramson, executive editor of the Times, in a statement to Bits.
As shocking as the attack appears to be, the Times is not the only news organization to be targeted by Chinese hackers in recently. Bloomberg News and the Associated Press were both targeted last year. “Mandiant said that over the course of several investigations it found evidence that Chinese hackers had stolen e-mails, contacts and files from more than 30 journalists and executives at Western news organizations, and had maintained a ‘short list’ of journalists whose accounts they repeatedly attack,” the Times said.
“Attacks on journalists based in China are increasingly aggressive, disruptive and sophisticated,” said Greg Walton, a cyber-security researcher who has tracked Chinese hacking campaigns, told the Bits blog. He added that Chinese authorities demonstrate a “willingness to ignore international norms relating to civil society and media organizations.”
For its part, the Chinese Defense Ministry denied any involvement in the attacks and called the accusations of a state-sponsored cyber attack “baseless.”
“Chinese law forbids hacking and any other actions that damage Internet security,” the Defense Ministry said in a statement to the Associated Press. “The Chinese military has never supported any hacking activities. Cyber-attacks are characterized by being cross-national and anonymous. To accuse the Chinese military of launching cyber-attacks without firm evidence is not professional and also groundless.”
A piece of collateral damage in the whole affair is the reputation of anti-virus giant Symantec, which provided AV protection to the Times that failed to prevent or adequately identify the attacks. “The Times … found only one instance in which Symantec identified an attacker’s software as malicious and quarantined it, according to Mandiant,” the paper noted.
That prompted a round of crowing on the part of some news outlets about the vendor having been given “a black eye.” But Symantec was swift in its response. A series of attacks like this "underscores how important it is for companies, countries and consumers to make sure they are using the full capability of security solutions," it said in a statement.
The security firm added that turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats. “We encourage customers to be very aggressive in deploying solutions that offer a combined approach to security,” it said. “Antivirus software alone is not enough.”