Washington Post Hacked Again; Suspects Chinese Involvement

The breach was discovered by Mandiant, a security firm now famous for having pointed the finger at Chinese government involvement in western hacks. Mandiant said the intrusion was of relatively short duration. That could mean anything from a few days to a few weeks, since the New York Times reported almost exactly a year ago that it had been infiltrated by Chinese hackers for a period of about four months. Either way the Post's breach was long enough to have started "with an intrusion into a server used by The Post’s foreign staff [before it] eventually spread to other company servers before being discovered." Post spokeswoman Kris Coratti said, "we believe it was a few days at most."

The company does not believe that any subscriber information "such as credit cards or home addresses" was accessed, nor that the hackers had gained access to the publishing, emails or sensitive personal information of employees. "The extent of the loss of company data was not immediately clear, although officials planned to ask all employees to change their user names and passwords on the assumption that many or all of them may have been compromised," said the Post. It says that these passwords had been stored 'in encrypted form,' which implies that they had been hashed. If a security firm like Mandiant had any involvement with the Post's security, then it would be a fair assumption that they were also salted, but as the Post notes, "hackers in some cases have shown the ability to decode such information."

It is too soon to tell the real target of the hackers from the limited information provided by the Post so far. The implication is that it was not a typical criminal attack since the company is clear that no subscriber financial details were lost. However, since the intrusion was of limited duration, that may simply be because the intruders – who tend to work slowly and stealthily – had not yet found their way to that particular information.

It would appear that the initial target was employee passwords which would ultimately provide access to employee emails. This makes it look like a politically motivated intrusion. The two most likely culprits are either China or the Syrian Electronic Army (SEA). SEA has been involved in numerous hacks on high profile media companies in recent years. Its motivation has been to use them as a vehicle for spreading a pro-Assad message. These attacks have usually involved gaining access to passwords and account details as a first step. However, their attacks also correlate with high profile anti-Syrian government attitudes in the west; and with the slight rapprochement following Assad's destruction of his chemical weapons, it is unlikely they would currently be overtly active.

Infosecurity asked SEA if it was involved. "About the Washington Post attack,  No, The SEA wasn't involved in it. We only heard about it in the news," said a SEA spokesman in an email response.

This leaves China as the most likely culprit. Indeed, the Post reported, "The company’s suspicions immediately focused on the possibility that Chinese hackers were responsible for the hack. Evidence strongly pointed to Chinese hackers in a 2011 intrusion of The Post’s network and in hacks against the New York Times, the Wall Street Journal and a wide range of Washington-based institutions, from think tanks to human rights groups and defense contractors."

What’s hot on Infosecurity Magazine?