Hackers in China Attacked The Times for Last 4 Months
SAN FRANCISCO — For the last four months,
Chinese hackers have persistently attacked The New York Times,
infiltrating its computer systems and getting passwords for its
reporters and other employees.
After surreptitiously tracking the intruders
to study their movements and help erect better defenses to block them,
The Times and computer security experts have expelled the attackers and
kept them from breaking back in.
The timing of the attacks coincided with the reporting for a Times investigation, published online on Oct. 25, that found that the relatives of Wen Jiabao, China’s prime minister, had accumulated a fortune worth several billion dollars through business dealings.
Security experts hired by The Times to detect
and block the computer attacks gathered digital evidence that Chinese
hackers, using methods that some consultants have associated with the
Chinese military in the past, breached The Times’s network. They broke
into the e-mail accounts of its Shanghai bureau chief, David Barboza,
who wrote the reports on Mr. Wen’s relatives, and Jim Yardley, The
Times’s South Asia bureau chief in India, who previously worked as
bureau chief in Beijing.
“Computer security experts found no evidence
that sensitive e-mails or files from the reporting of our articles about
the Wen family were accessed, downloaded or copied,” said Jill
Abramson, executive editor of The Times.
The hackers tried to cloak the source of the
attacks on The Times by first penetrating computers at United States
universities and routing the attacks through them, said computer
security experts at Mandiant, the company hired by The Times. This
matches the subterfuge used in many other attacks that Mandiant has
tracked to China.
The attackers first installed malware —
malicious software — that enabled them to gain entry to any computer on
The Times’s network. The malware was identified by computer security
experts as a specific strain associated with computer attacks
originating in China. More evidence of the source, experts said, is that
the attacks started from the same university computers used by the
Chinese military to attack United States military contractors in the
past.
Security experts found evidence that the
hackers stole the corporate passwords for every Times employee and used
those to gain access to the personal computers of 53 employees, most of
them outside The Times’s newsroom. Experts found no evidence that the
intruders used the passwords to seek information that was not related to
the reporting on the Wen family.
No customer data was stolen from The Times, security experts said.
Asked about evidence that indicated the
hacking originated in China, and possibly with the military, China’s
Ministry of National Defense said, “Chinese laws prohibit any action
including hacking that damages Internet security.” It added that “to
accuse the Chinese military of launching cyberattacks without solid
proof is unprofessional and baseless.”
The attacks appear to be part of a broader
computer espionage campaign against American news media companies that
have reported on Chinese leaders and corporations.
Last year, Bloomberg News was targeted by
Chinese hackers, and some employees’ computers were infected, according
to a person with knowledge of the company’s internal investigation,
after Bloomberg published an article on June 29 about the wealth
accumulated by relatives of Xi Jinping, China’s vice president at the
time. Mr. Xi became general secretary of the Communist Party in November
and is expected to become president in March. Ty Trippet, a spokesman
for Bloomberg, confirmed that hackers had made attempts but said that
“no computer systems or computers were compromised.”
Signs of a Campaign
The mounting number of attacks that have been
traced back to China suggest that hackers there are behind a
far-reaching spying campaign aimed at an expanding set of targets
including corporations, government agencies, activist groups and media
organizations inside the United States. The intelligence-gathering
campaign, foreign policy experts and computer security researchers say,
is as much about trying to control China’s public image, domestically
and abroad, as it is about stealing trade secrets.
Security experts said that beginning in 2008,
Chinese hackers began targeting Western journalists as part of an effort
to identify and intimidate their sources and contacts, and to
anticipate stories that might damage the reputations of Chinese leaders.
In a December intelligence report for clients,
Mandiant said that over the course of several investigations it found
evidence that Chinese hackers had stolen e-mails, contacts and files
from more than 30 journalists and executives at Western news
organizations, and had maintained a “short list” of journalists whose
accounts they repeatedly attack.
While computer security experts say China is
most active and persistent, it is not alone in using computer attacks
for a variety of national purposes, including corporate espionage. The
United States, Israel, Russia and Iran, among others, are suspected of
developing and deploying cyberweapons.
The United States and Israel have never
publicly acknowledged it, but evidence indicates they released a
sophisticated computer worm starting around 2008 that attacked and later
caused damage at Iran’s main nuclear enrichment plant. Iran is believed
to have responded with computer attacks on targets in the United
States, including American banks and foreign oil companies.
Russia is suspected of having used computer attacks during its war with Georgia in 2008.
The following account of the attack on The
Times — which is based on interviews with Times executives, reporters
and security experts — provides a glimpse into one such spy campaign.
After The Times learned of warnings from
Chinese government officials that its investigation of the wealth of Mr.
Wen’s relatives would “have consequences,” executives on Oct. 24 asked
AT&T, which monitors The Times’s computer network, to watch for
unusual activity.
On Oct. 25, the day the article was published
online, AT&T informed The Times that it had noticed behavior that
was consistent with other attacks believed to have been perpetrated by
the Chinese military.
The Times notified and voluntarily briefed the
Federal Bureau of Investigation on the attacks and then — not initially
recognizing the extent of the infiltration of its computers — worked
with AT&T to track the attackers even as it tried to eliminate them
from its systems.
But on Nov. 7, when it became clear that
attackers were still inside its systems despite efforts to expel them,
The Times hired Mandiant, which specializes in responding to security
breaches. Since learning of the attacks, The Times — first with AT&T
and then with Mandiant — has monitored attackers as they have moved
around its systems.
Hacker teams regularly began work, for the
most part, at 8 a.m. Beijing time. Usually they continued for a standard
work day, but sometimes the hacking persisted until midnight.
Occasionally, the attacks stopped for two-week periods, Mandiant said,
though the reason was not clear.
Investigators still do not know how hackers
initially broke into The Times’s systems. They suspect the hackers used a
so-called spear-phishing attack, in which they send e-mails to
employees that contain malicious links or attachments. All it takes is
one click on the e-mail by an employee for hackers to install “remote
access tools” — or RATs. Those tools can siphon off oceans of data —
passwords, keystrokes, screen images, documents and, in some cases,
recordings from computers’ microphones and Web cameras — and send the
information back to the attackers’ Web servers.
Michael Higgins, chief security officer at The
Times, said: “Attackers no longer go after our firewall. They go after
individuals. They send a malicious piece of code to your e-mail account
and you’re opening it and letting them in.”
Lying in Wait
Once hackers get in, it can be hard to get
them out. In the case of a 2011 breach at the United States Chamber of
Commerce, for instance, the trade group worked closely with the F.B.I.
to seal its systems, according to chamber employees. But months later,
the chamber discovered that Internet-connected devices — a thermostat in
one of its corporate apartments and a printer in its offices — were
still communicating with computers in China.
In part to prevent that from happening, The
Times allowed hackers to spin a digital web for four months to identify
every digital back door the hackers used. It then replaced every
compromised computer and set up new defenses in hopes of keeping hackers
out.
“Attackers target companies for a reason —
even if you kick them out, they will try to get back in,” said Nick
Bennett, the security consultant who has managed Mandiant’s
investigation. “We wanted to make sure we had full grasp of the extent
of their access so that the next time they try to come in, we can
respond quickly.”
Based on a forensic analysis going back
months, it appears the hackers broke into The Times computers on Sept.
13, when the reporting for the Wen articles was nearing completion. They
set up at least three back doors into users’ machines that they used as
a digital base camp. From there they snooped around The Times’s systems
for at least two weeks before they identified the domain controller
that contains user names and hashed, or scrambled, passwords for every
Times employee.
While hashes make hackers’ break-ins more
difficult, hashed passwords can easily be cracked using so-called
rainbow tables — readily available databases of hash values for nearly
every alphanumeric character combination, up to a certain length. Some
hacker Web sites publish as many as 50 billion hash values.
Investigators found evidence that the
attackers cracked the passwords and used them to gain access to a number
of computers. They created custom software that allowed them to search
for and grab Mr. Barboza’s and Mr. Yardley’s e-mails and documents from a
Times e-mail server.
Over the course of three months, attackers
installed 45 pieces of custom malware. The Times — which uses antivirus
products made by Symantec — found only one instance in which Symantec
identified an attacker’s software as malicious and quarantined it,
according to Mandiant.
A Symantec spokesman said that, as a matter of policy, the company does not comment on its customers.
The attackers were particularly active in the
period after the Oct. 25 publication of The Times article about Mr.
Wen’s relatives, especially on the evening of the Nov. 6 presidential
election. That raised concerns among Times senior editors who had been
informed of the attacks that the hackers might try to shut down the
newspaper’s electronic or print publishing system. But the attackers’
movements suggested that the primary target remained Mr. Barboza’s
e-mail correspondence.
“They could have wreaked havoc on our
systems,” said Marc Frons, the Times’s chief information officer. “But
that was not what they were after.”
What they appeared to be looking for were the names of people who might have provided information to Mr. Barboza.
Mr. Barboza’s research on the stories, as
reported previously in The Times, was based on public records, including
thousands of corporate documents through China’s State Administration
for Industry and Commerce. Those documents — which are available to
lawyers and consulting firms for a nominal fee — were used to trace the
business interests of relatives of Mr. Wen.
A Tricky Search
Tracking the source of an attack to one group
or country can be difficult because hackers usually try to cloak their
identities and whereabouts.
To run their Times spying campaign, the
attackers used a number of compromised computer systems registered to
universities in North Carolina, Arizona, Wisconsin and New Mexico, as
well as smaller companies and Internet service providers across the
United States, according to Mandiant’s investigators.
The hackers also continually switched from one
I.P. address to another; an I.P. address, for Internet protocol, is a
unique number identifying each Internet-connected device from the
billions around the globe, so that messages and other information sent
by one device are correctly routed to the ones meant to get them.
Using university computers as proxies and
switching I.P. addresses were simply efforts to hide the source of the
attacks, which investigators say is China. The pattern that Mandiant’s
experts detected closely matched the pattern of earlier attacks traced
to China. After Google was attacked in 2010 and the Gmail accounts of
Chinese human rights activists were opened, for example, investigators
were able to trace the source to two educational institutions in China,
including one with ties to the Chinese military.
Security experts say that by routing attacks
through servers in other countries and outsourcing attacks to skilled
hackers, the Chinese military maintains plausible deniability.
“If you look at each attack in isolation, you
can’t say, ‘This is the Chinese military,’ ” said Richard Bejtlich,
Mandiant’s chief security officer.
But when the techniques and patterns of the
hackers are similar, it is a sign that the hackers are the same or
affiliated.
“When you see the same group steal data on
Chinese dissidents and Tibetan activists, then attack an aerospace
company, it starts to push you in the right direction,” he said.
Mandiant has been tracking about 20 groups
that are spying on organizations inside the United States and around the
globe. Its investigators said that based on the evidence — the malware
used, the command and control centers compromised and the hackers’
techniques — The Times was attacked by a group of Chinese hackers that
Mandiant refers to internally as “A.P.T. Number 12.”
A.P.T. stands for Advanced Persistent Threat, a
term that computer security experts and government officials use to
describe a targeted attack and that many say has become synonymous with
attacks done by China. AT&T and the F.B.I. have been tracking the
same group, which they have also traced to China, but they use their own
internal designations.
Mandiant said the group had been “very active”
and had broken into hundreds of other Western organizations, including
several American military contractors.
To get rid of the hackers, The Times blocked
the compromised outside computers, removed every back door into its
network, changed every employee password and wrapped additional security
around its systems.
For now, that appears to have worked, but
investigators and Times executives say they anticipate more efforts by
hackers.
“This is not the end of the story,” said Mr.
Bejtlich of Mandiant. “Once they take a liking to a victim, they tend to
come back. It’s not like a digital crime case where the intruders steal
stuff and then they’re gone. This requires an internal vigilance
model.”
NYT
NYT
0 Comments:
Post a Comment
<< Home