RegulationSecurityWorkspace

New York Times Hit By ‘Chinese Hackers’

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

NYT says it was able to link attacks back to China, but there remain problems with attribution

The New York Times says it has been the victim of a four-month long cyber attack emanating from China, following a Times investigation into Chinese corruption.

The famous US paper said Chinese hackers stole passwords from employees and broke into its systems. Chinese officials have denied any involvement.

But the New York Times worked with its ISP AT&T and a security company to track the hackers and prevent them from breaking back in. It noted that the attacks started around the time of an investigation which suggested family members of China’s prime minister, Wen Jibao, had amassed billions of dollars in business deals.

New York Times attacks

© Karen Roach - Fotolia (Medium)It is believed the initial attack vector was spear phishing, where specified targets are sent emails with malicious attachments or links.

Email accounts of the New York Times’ Shanghai bureau chief, David Barboza, who wrote up the investigation, were hacked, as were those belonging to Jim Yardley, the paper’s South Asia bureau chief in India, who previously worked as bureau chief in Beijing.

Security company Mandiant was brought in to help with investigations into the attacks. It found the attackers had broken into US university servers, hacking the paper from those systems in an attempt to cover their tracks.

As for the China link, experts suggested the attackers used the same compromised university systems used by the Chinese military to hit US military contractors previously.

Malware, thought to be linked to previous computer attacks originating from China, was placed on NYT systems, and all employee passwords may have been stolen, according to the paper. Mandiant admitted that attacks in isolation could not be attributed for certain, but linking them to other events helps draw a clearer picture.

“When you see the same group steal data on Chinese dissidents and Tibetan activists, then attack an aerospace company, it starts to push you in the right direction,” said Richard Bejtlich, Mandiant’s chief security officer. The company claims to have been tracking various Chinese hacking groups operating spy campaigns in the US.

AV fail?

Another 45 pieces of custom malware were installed on Times’ machines, with only one blocked by Symantec anti-virus. The company issued its own response on the NYT attacks, noting that anti-virus is not enough on its own.

“Turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats. We encourage customers to be very aggressive in deploying solutions that offer a combined approach to security,” Symantec said.

Fortunately for the Times, it appears little useful was achieved by the hackers. “Computer security experts found no evidence that sensitive emails or files from the reporting of our articles about the Wen family were accessed, downloaded or copied,” said Jill Abramson, executive editor of the paper.

Chinese officials were not happy about the claims being made by the New York Times. “To accuse the Chinese military of launching cyber attacks without solid proof is unprofessional and baseless”, said one response.

“Chinese laws prohibit any action including hacking that damages Internet security,” read a statement from China’s Ministry of National Defense.

Bloomberg News claimed it was targeted by Chinese hackers last year, after it published an article on the wealth accumulated by Xi Jinping, who is now general secretary of the Communist Party and expected to become president.

Yet there remains a problem with attribution in the cyber world. If hackers can route their traffic through a variety of different servers, it makes determining the source of an attack very tricky.

However, security companies claim they are getting a lot better. Using honeypot techniques, where attractive pieces of data, either real or faked, are tagged, so that when they are pilfered, they can be followed back to the original source. But more obfuscation at the hacker end can still prevent victims from truly knowing the assailant.

What’s concerning some onlookers is how the US might respond to cyber attacks. It has already reserved the right to use physical force in response to a serious cyber incident. Worried parties suggest this could be catastrophic if attribution proves to be wrong.

Meanwhile, the FBI is stepping up its hunt for those who leaked information on Stuxnet, malware that hit Iranian uranium enrichment facilities, linking it to the US and Israel. The US, a country that has repeatedly warned about a “cyber 9/11”, is believed to have created Stuxnet with Israel, without admitting or denying it.

Are you a security expert? Try our quiz!