January 31, 2013

New York Times Exposes Chinese Hackathon

The New York Times reported on Thursday that it was the victim of a four-month cyberattack that originated in China. The intrusions may have been part of a shift by Chinese hackers to apply the same sophisticated infiltration techniques on foreign media that have been used in recent years to steal data from international corporations.

The attackers cracked passwords and gained access to a number of computers, the newspaper reported, although it had a Symantec security system in place.

"Advanced attacks like the ones at The New York Times underscore how important it is for companies, countries and consumers to make sure they are using the full capability of security solutions," said Symantec spokesperson Candice Garmoe. "The advanced capabilities in our endpoint offerings, including our unique reputation-based technology and behavior-based blocking, specifically target sophisticated attacks."

Forty-five pieces of custom malware were installed; however, only one was identified and quarantined by the Symantec antivirus product.

"Turning on only the signature-based antivirus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats," Garmoe told TechNewsWorld. "We encourage customers to be very aggressive in deploying solutions that offer a combined approach to security. Antivirus software alone is not enough."

The New York Times did not respond to our request for further details.


While the Chinese government denied that it was behind the attacks, the newspaper said the methods used have been associated with the Chinese military in the past.

"The CPC is very sensitive to criticism, especially during a leadership transition wracked by scandal due to the Bo Xilai affair," said Jon Lindsay of the University of California Institute on Global Conflict and Cooperation. "The hackers were likely looking for evidence and names of Chinese sources, presumably to punish them.

"Their technical tradecraft was a bit sloppy, which is typical of Chinese hacks," Lindsay told TechNewsWorld, "yet there has been little incentive to improve in the absence of any real political consequences from the U.S."

The attacks also seemed timed to specific news coverage and could be the CPC's way -- via the hackers -- of responding to what it saw as negative press coverage. An Oct. 25Times report found that relatives of prime minister Wen Jiabao had accumulated several billion dollars through business dealings.

"Chinese government officials said the reports would have consequences, and the attacks began shortly thereafter," said Charles King, principal analyst at Pund-IT

This is not the first time that China's government has been linked to cyberattacks, and the evidence gathered suggested it almost certainly originated in Beijing.

"China's government has steadfastly insisted that such activities are prohibited by law," King told TechNewsWorld. "By carefully monitoring the attacks, comparing their methodologies to known past attacks emanating from China, and tracking them over time to amass and solidify its evidence, the Times is essentially calling China's bluff and labeling its official claims of innocence as bogus posturing."


Given China's previous crackdown on any vocal opposition within its borders -- including those online -- this attack appears to be consistent with government policies.

"It is there if you go back and read Sun Tzu," said Alan Webber, industry analyst and managing partner at Altimeter Group. The attack may not only be China's way of silencing the press, but in an ominous development could also be an attempt to edit what is said about the country.

"This is very much a way for China to see what is being written and to get ahead of the news cycle," Webber said, "but what happens if they can get into the news sites and modify the story a little bit -- make it a little more positive about China? That is just one worry."

Another concern is that Chinese citizens who have spoken out against the government might not believe that the media can protect them, even with information given on background or as an anonymous source.

"They could be looking to find out who the sources are in the anti-China movement, such as in places like Tibet," Webber told TechNewsWorld. "The New York Times from that perspective is a viable target."


If the hack could scare off some sources, why would the paper announce that it was hacked for so long? One possibility: to reassure those same potential sources.

"One of the reasons they did report this was to highlight how well they responded to the incident," said Irv Lachow, director of the program on technology and national security at theCenter for a New American Security. "They stressed that no sensitive email was compromised and personal data was not taken."

The Times noted that the hacking was detected early on, and then the bad guys were tracked and monitored as they moved through the network.

"This was a way of ensuring that no harm was done," Lachow told TechNewsWorld. "One reason to put the story out was to highlight these efforts, and put out the story before others reported on it."

It may come down to credibility, something that the Times has long been careful to protect. That doesn't mean, however, that all the sources will still feel comfortable spilling secrets or opinions the next time.

"It will make some sources think twice about talking to reporters -- for good reasons, but that is kind of sad," Webber said.

Nor will it just be China that should be monitored for such attacks on the free press. Any foreign government that doesn't want dissent in the media could unleash hackers on journalists.

"There are a lot of national and non-national efforts into this," said Webber. "This is going to be perpetual and ubiquitous across a number of avenues, and this is just the tip of what we can expect."