New York Times suffers APT at the hands of Chinese attackers

News by Dan Raywood

The New York Times has suffered a major cyber attack, with a large number of its user passwords stolen.

The New York Times has suffered a major cyber attack, with a large number of its user passwords stolen.

Hit by Chinese hackers in retaliation to a negative story published about the wealth of outgoing leader Wen Jiabao, the New York Times said that it had been attacked repeatedly over the past four months.

It said that security experts gathered digital evidence that Chinese hackers, using methods that some consultants have associated with the Chinese military in the past, breached The Times' network. They broke into the email accounts of its Shanghai bureau chief, David Barboza, who wrote the reports on Wen's relatives, and Jim Yardley, The Times' South Asia bureau chief in India, who previously worked as bureau chief in Beijing.

While the external experts found no evidence that sensitive emails or files from the reporting of the articles about the Wen family were accessed, downloaded or copied, the attackers were eventually able to install malware on systems. However while they accessed 53 passwords in total, they only related to those involved in this story and no customer data was accessed.

The forensic analysis found that the hackers broke into the computers on 13th September, when the reporting for the Wen articles was nearing completion. They set up at least three backdoors into users' machines that they used as a digital base camp and from there, they snooped around internal systems for at least two weeks before they identified the domain controller that contains user names and hashed, or scrambled, passwords for every Times employee.

The investigators found evidence that the attackers cracked the passwords and used them to gain access to a number of computers. The attackers installed 45 pieces of custom malware and the newspaper's Symantec anti-virus only identified one instance where the malware was identified as malicious and quarantined it, according to the experts from Mandiant.

A Symantec statement said: “Advanced attacks like the ones the New York Times described in the article underscore how important it is for companies, countries and consumers to make sure they are using the full capability of security solutions. The advanced capabilities in our endpoint offerings, including our unique reputation-based technology and behaviour-based blocking, specifically target sophisticated attacks.

“Turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats. We encourage customers to be very aggressive in deploying solutions that offer a combined approach to security. Anti-virus software alone is not enough."

Mikko Hypponen, chief research officer at F-Secure, said: “It's worth noting that no customer data was stolen. These attackers were not interested in making money. They wanted to spy on the Times. Journalists have been targeted by similar attacks before. In some cases, journalists' names have been used as a lure in targeted attacks.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews