New York Times Hacking Highlights Other Cases

The New York Times admitted on Wednesday that it had been the victim of a four-month hacking campaign, apparently in response to its probing of premier Wen Jiabao’s family’s wealth. The attacks, it reported, seemed aimed at uncovering the investigation’s sources.

On Thursday, The Wall Street Journal revealed that it, too, has suffered attacks focused on its coverage of China. From Siobhan Gorman, Devlin Barrett and Danny Yadron:

In the most recent incident, the Journal was notified by the FBI of a potential breach in the middle of last year, when the FBI came across data that apparently had come from the computer network in the Journal’s Beijing bureau, people familiar with the incident said.

[…] Among the targets were a handful of journalists in the Beijing bureau, including Jeremy Page, who wrote articles about the murder of British businessman Neil Heywood in a scandal that helped bring down Chinese politician Bo Xilai, people familiar with the matter said. Beijing Bureau Chief Andrew Browne also was a target, they said.

[…] “Evidence shows that infiltration efforts target the monitoring of the Journal’s coverage of China and are not an attempt to gain commercial advantage or to misappropriate customer information,” Paula Keve, a spokeswoman for Journal publisher Dow Jones, said in a written statement Thursday. Dow Jones is a unit of News Corp.

The Times noted that Bloomberg News had also been attacked following its investigation of Xi Jinping’s family last year, and that security firm Mandiant had compiled a list of other targeted journalists. The Globe and Mail’s Mark MacKinnon added on Twitter that a 2011 intrusion into his own computer had also been aimed at “specific China-related files”. Numerous other targets have been identified elsewhere; in fact, wrote Adam Segal of the Council on Foreign Relations, the “sweeping cyber espionage campaign […] appears endemic”. From Foreign Policy:

As with many cases of cyber espionage, the break-in is assumed to have started with a spear-phishing email, a socially engineered message containing malware attachments or links to hostile websites. In the case of the attack on the security firm RSA in 2011, for example, an email with the subject line “2011 Recruitment Plan” was sent with an attached Excel file. Opening the file downloaded software that allowed attackers to gain control of the user’s computers. They then gradually expanded their access and moved into different computers and networks.

[…] Evidence that the hackers are China-based in all of these cases is suggestive, but not conclusive. Some of the code used in the attacks was developed by Chinese hacker groups and the command and control nodes have been traced back to Chinese IP addresses. Hackers are said to clock in in the morning Beijing time, clock out in the afternoon, and often take vacation on Chinese New Year and other national holidays. But attacks can be routed through many computers, malware is bought and sold on the black market, groups share techniques, and one of the cherished clichés of hackers is that they work weird hours.

Perhaps the most compelling evidence has been the type of information targeted. The emails and documents of the office of the Dalai Lama and Tibetan activists, defense industries, foreign embassies, journalists, and think tanks are not easily monetized and so would apparently have little attraction to criminal hackers. The information contained in them would be of much greater interest to the Chinese government.

Graham Cluley at Sophos’ Naked Security blog summed up the attribution debate:

Security experts brought in by the newspaper have pointed the finger of blame at China. And, in all likelihood, they’re right.

However, it must be remembered that it is extremely difficult to prove who is behind an internet attack like this. That’s because it’s so easy to use compromised computers around the world to route attacks through – disguising the true origin.

Of course, even if China is identified as the starting point of an attack – it doesn’t necessarily prove that it the operation is backed by the Chinese government or intelligence services. It could just as easily be a patriotic group of skilled, independent Chinese hackers upset with how the Western media is portraying their country’s rulers.

But let’s not be too naive… In all probability, the New York Times’s conclusion is correct, and this attack was sanctioned by the powers that be in Beijing.

NPR’s Neal Conan raised a third possibility: that the campaign might have been initiated privately by a member of Wen’s family, to investigate the investigation.

According to The Times report, the organization’s Symantec anti-virus software detected only one of 45 pieces of intruding malware. Symantec would not comment for the article itself, but in a later statement suggested that the newspaper had simply not bought enough of its products:

“Advanced attacks like the ones the New York Times described in the following article, (http://nyti.ms/TZtr5z), underscore how important it is for companies, countries and consumers to make sure they are using the full capability of security solutions. The advanced capabilities in our endpoint offerings, including our unique reputation-based technology and behavior-based blocking, specifically target sophisticated attacks. Turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats. We encourage customers to be very aggressive in deploying solutions that offer a combined approach to security. Anti-virus software alone is not enough.”

While some dissected the NYT attack itself, others pondered its broader significance. The New Yorker’s Evan Osnos viewed it in light of Xi Jinping’s professed crusade against official corruption:

The timing of all this is significant for anyone interested in the prospect of reform: this attack has unfolded at the very moment that the new Chinese leadership, under Xi Jinping, has pledged to root out corruption before it destroys the Party. Xi has been making so many gestures of reform that he has persuaded some longtime China-watchers to take him seriously.

[…] The renewed commitment to combating corruption isn’t looking as sincere. On the contrary, this case feels like déjà vu for the Times: in 2004, the Chinese government detained the Times researcher Zhao Yan, accusing him of leaking state secrets. As evidence, the investigators cited a photocopy of one of Zhao’s handwritten notes; the Times pointedly noted, “questions remain about how security agents obtained a copy of the note. One possibility is that agents entered The Times’s Beijing bureau without permission.”

This time, the newspaper claims, the intruders have been exorcised, and no sensitive data was taken. The Times has always maintained that the Wen exposé was based on public records, not human sources. Nevertheless, some feared, the recent episode might raise doubts about its ability to protect such sources in future. At Slate, Farhad Manjoo suggested that a deterrent effect might even have been one of the attackers’ goals:

The most important outcome here might be the chilling effect: Now that a Chinese attack on the New York Times is international news, any dissident or potential whistle-blower in China will be wary of talking to journalists at the paper—or, for that matter, all journalists.

In other words, the hack worked. […]