SAN FRANCISCO — For the last four months, Chinese hackers have
persistently attacked The New York Times, infiltrating its computer
systems and getting passwords for its reporters and other employees.
After surreptitiously tracking the intruders to study their movements
and help erect better defenses to block them, The Times and computer
security experts have expelled the attackers and kept them from breaking
back in.
The timing of the attacks coincided with the reporting for
a Times investigation, published online on Oct. 25, that found that the relatives of Wen Jiabao,
China’s prime minister, had accumulated a fortune worth several billion dollars through business dealings.
Security experts hired by The Times to detect and block the computer
attacks gathered digital evidence that Chinese hackers, using methods
that some consultants have associated with the Chinese military in the
past, breached The Times’s network. They broke into the e-mail accounts
of its Shanghai bureau chief, David Barboza, who wrote the reports on
Mr. Wen’s relatives, and Jim Yardley, The Times’s South Asia bureau
chief in India, who previously worked as bureau chief in Beijing.
“Computer security experts found no evidence that sensitive e-mails or
files from the reporting of our articles about the Wen family were
accessed, downloaded or copied,” said Jill Abramson, executive editor of
The Times.
The hackers tried to cloak the source of the attacks on The Times by
first penetrating computers at United States universities and routing
the attacks through them, said computer security experts at Mandiant,
the company hired by The Times. This matches the subterfuge used in many
other attacks that Mandiant has tracked to China.
The attackers first installed malware — malicious software — that
enabled them to gain entry to any computer on The Times’s network. The
malware was identified by computer security experts as a specific strain
associated with computer attacks originating in China. More evidence of
the source, experts said, is that the attacks started from the same
university computers used by the Chinese military to attack United
States military contractors in the past.
Security experts found evidence that the hackers stole the corporate
passwords for every Times employee and used those to gain access to the
personal computers of 53 employees, most of them outside The Times’s
newsroom. Experts found no evidence that the intruders used the
passwords to seek information that was not related to the reporting on
the Wen family.
No customer data was stolen from The Times, security experts said.
Asked about evidence that indicated the hacking originated in China, and
possibly with the military, China’s Ministry of National Defense said,
“Chinese laws prohibit any action including hacking that damages
Internet security.” It added that “to accuse the Chinese military of
launching cyberattacks without solid proof is unprofessional and
baseless.”
The attacks appear to be part of a broader computer espionage campaign
against American news media companies that have reported on Chinese
leaders and corporations.
Last year, Bloomberg News was targeted by Chinese hackers, and some
employees’ computers were infected, according to a person with knowledge
of the company’s internal investigation, after Bloomberg published an
article on June 29 about the wealth accumulated by relatives of Xi
Jinping, China’s vice president at the time. Mr. Xi became general
secretary of the Communist Party in November and is expected to become
president in March. Ty Trippet, a spokesman for Bloomberg, confirmed
that hackers had made attempts but said that “no computer systems or
computers were compromised.”
Signs of a Campaign
The mounting number of attacks that have been traced back to China
suggest that hackers there are behind a far-reaching spying campaign
aimed at an expanding set of targets including corporations, government
agencies, activist groups and media organizations inside the United
States. The intelligence-gathering campaign, foreign policy experts and
computer security researchers say, is as much about trying to control
China’s public image, domestically and abroad, as it is about stealing
trade secrets.
Security experts said that beginning in 2008, Chinese hackers began
targeting Western journalists as part of an effort to identify and
intimidate their sources and contacts, and to anticipate stories that
might damage the reputations of Chinese leaders.
In a December intelligence report for clients, Mandiant said that over
the course of several investigations it found evidence that Chinese
hackers had stolen e-mails, contacts and files from more than 30
journalists and executives at Western news organizations, and had
maintained a “short list” of journalists whose accounts they repeatedly
attack.
While computer security experts say China is most active and persistent,
it is not alone in using computer attacks for a variety of national
purposes, including corporate espionage. The United States, Israel,
Russia and Iran, among others, are suspected of developing and deploying
cyberweapons.
The United States and Israel have never publicly acknowledged it, but
evidence indicates they released a sophisticated computer worm starting
around 2008 that attacked and later caused damage at Iran’s main nuclear
enrichment plant. Iran is believed to have responded with computer
attacks on targets in the United States, including American banks and
foreign oil companies.
Russia is suspected of having used computer attacks during its war with Georgia in 2008.
The following account of the attack on The Times — which is based on
interviews with Times executives, reporters and security experts —
provides a glimpse into one such spy campaign.
After The Times learned of warnings from Chinese government officials
that its investigation of the wealth of Mr. Wen’s relatives would “have
consequences,” executives on Oct. 24 asked AT&T, which monitors The
Times’s computer network, to watch for unusual activity.
On Oct. 25, the day the article was published online, AT&T informed
The Times that it had noticed behavior that was consistent with other
attacks believed to have been perpetrated by the Chinese military.
The Times notified and voluntarily briefed the Federal Bureau of
Investigation on the attacks and then — not initially recognizing the
extent of the infiltration of its computers — worked with AT&T to
track the attackers even as it tried to eliminate them from its systems.
But on Nov. 7, when it became clear that attackers were still inside its
systems despite efforts to expel them, The Times hired Mandiant, which
specializes in responding to security breaches. Since learning of the
attacks, The Times — first with AT&T and then with Mandiant — has
monitored attackers as they have moved around its systems.
Hacker teams regularly began work, for the most part, at 8 a.m. Beijing
time. Usually they continued for a standard work day, but sometimes the
hacking persisted until midnight. Occasionally, the attacks stopped for
two-week periods, Mandiant said, though the reason was not clear.
Investigators still do not know how hackers initially broke into The
Times’s systems. They suspect the hackers used a so-called
spear-phishing attack, in which they send e-mails to employees that
contain malicious links or attachments. All it takes is one click on the
e-mail by an employee for hackers to install “remote access tools” — or
RATs. Those tools can siphon off oceans of data — passwords,
keystrokes, screen images, documents and, in some cases, recordings from
computers’ microphones and Web cameras — and send the information back
to the attackers’ Web servers.
Michael Higgins, chief security officer at The Times, said: “Attackers
no longer go after our firewall. They go after individuals. They send a
malicious piece of code to your e-mail account and you’re opening it and
letting them in.”
Lying in Wait
Once hackers get in, it can be hard to get them out. In the case of a
2011 breach at the United States Chamber of Commerce, for instance, the
trade group worked closely with the F.B.I. to seal its systems,
according to chamber employees. But months later, the chamber discovered
that Internet-connected devices — a thermostat in one of its corporate
apartments and a printer in its offices — were still communicating with
computers in China.
In part to prevent that from happening, The Times allowed hackers to
spin a digital web for four months to identify every digital back door
the hackers used. It then replaced every compromised computer and set up
new defenses in hopes of keeping hackers out.
“Attackers target companies for a reason — even if you kick them out,
they will try to get back in,” said Nick Bennett, the security
consultant who has managed Mandiant’s investigation. “We wanted to make
sure we had full grasp of the extent of their access so that the next
time they try to come in, we can respond quickly.”
Based on a forensic analysis going back months, it appears the hackers
broke into The Times computers on Sept. 13, when the reporting for the
Wen articles was nearing completion. They set up at least three back
doors into users’ machines that they used as a digital base camp. From
there they snooped around The Times’s systems for at least two weeks
before they identified the domain controller that contains user names
and hashed, or scrambled, passwords for every Times employee.
While hashes make hackers’ break-ins more difficult, hashed passwords
can easily be cracked using so-called rainbow tables — readily available
databases of hash values for nearly every alphanumeric character
combination, up to a certain length. Some hacker Web sites publish as
many as 50 billion hash values.
Investigators found evidence that the attackers cracked the passwords
and used them to gain access to a number of computers. They created
custom software that allowed them to search for and grab Mr. Barboza’s
and Mr. Yardley’s e-mails and documents from a Times e-mail server.
Over the course of three months, attackers installed 45 pieces of custom
malware. The Times — which uses antivirus products made by Symantec —
found only one instance in which Symantec identified an attacker’s
software as malicious and quarantined it, according to Mandiant.
A Symantec spokesman said that, as a matter of policy, the company does not comment on its customers.
The attackers were particularly active in the period after the Oct. 25
publication of The Times article about Mr. Wen’s relatives, especially
on the evening of the Nov. 6 presidential election. That raised concerns
among Times senior editors who had been informed of the attacks that
the hackers might try to shut down the newspaper’s electronic or print
publishing system. But the attackers’ movements suggested that the
primary target remained Mr. Barboza’s e-mail correspondence.
“They could have wreaked havoc on our systems,” said Marc Frons, the
Times’s chief information officer. “But that was not what they were
after.”
What they appeared to be looking for were the names of people who might have provided information to Mr. Barboza.
Mr. Barboza’s research on the stories, as reported previously in The
Times, was based on public records, including thousands of corporate
documents through China’s State Administration for Industry and
Commerce. Those documents — which are available to lawyers and
consulting firms for a nominal fee — were used to trace the business
interests of relatives of Mr. Wen.
A Tricky Search
Tracking the source of an attack to one group or country can be
difficult because hackers usually try to cloak their identities and
whereabouts.
To run their Times spying campaign, the attackers used a number of
compromised computer systems registered to universities in North
Carolina, Arizona, Wisconsin and New Mexico, as well as smaller
companies and Internet service providers across the United States,
according to Mandiant’s investigators.
The hackers also continually switched from one I.P. address to another;
an I.P. address, for Internet protocol, is a unique number identifying
each Internet-connected device from the billions around the globe, so
that messages and other information sent by one device are correctly
routed to the ones meant to get them.
Using university computers as proxies and switching I.P. addresses were
simply efforts to hide the source of the attacks, which investigators
say is China. The pattern that Mandiant’s experts detected closely
matched the pattern of earlier attacks traced to China. After Google was
attacked in 2010 and the Gmail accounts of Chinese human rights
activists were opened, for example, investigators were able to trace the
source to two educational institutions in China, including one with
ties to the Chinese military.
Security experts say that by routing attacks through servers in other
countries and outsourcing attacks to skilled hackers, the Chinese
military maintains plausible deniability.
“If you look at each attack in isolation, you can’t say, ‘This is the
Chinese military,’ ” said Richard Bejtlich, Mandiant’s chief security
officer.
But when the techniques and patterns of the hackers are similar, it is a
sign that the hackers are the same or affiliated.
“When you see the same group steal data on Chinese dissidents and
Tibetan activists, then attack an aerospace company, it starts to push
you in the right direction,” he said.
Mandiant has been tracking about 20 groups that are spying on
organizations inside the United States and around the globe. Its
investigators said that based on the evidence — the malware used, the
command and control centers compromised and the hackers’ techniques —
The Times was attacked by a group of Chinese hackers that Mandiant
refers to internally as “A.P.T. Number 12.”
A.P.T. stands for Advanced Persistent Threat, a term that computer
security experts and government officials use to describe a targeted
attack and that many say has become synonymous with attacks done by
China. AT&T and the F.B.I. have been tracking the same group, which
they have also traced to China, but they use their own internal
designations.
Mandiant said the group had been “very active” and had broken into
hundreds of other Western organizations, including several American
military contractors.
To get rid of the hackers, The Times blocked the compromised outside
computers, removed every back door into its network, changed every
employee password and wrapped additional security around its systems.
For now, that appears to have worked, but investigators and Times
executives say they anticipate more efforts by hackers.
“This is not the end of the story,” said Mr. Bejtlich of Mandiant. “Once
they take a liking to a victim, they tend to come back. It’s not like a
digital crime case where the intruders steal stuff and then they’re
gone. This requires an internal vigilance model.”
This article has been revised to reflect the following correction:
Correction: January 31, 2013
An
earlier version of this article misstated the timing of a cyberattack
that caused damage at Iran’s main nuclear enrichment plant. Evidence
suggests that the United States and Israel released a computer worm
around 2008, not 2012.
