In a dramatic announcement late Wednesday, the New York Times reported that hackers from China had been routing through the paper’s network for at least four months, stealing the passwords of reporters in an apparent attempt to identify sources and gather other intelligence about stories related to the family of China’s prime minister.
The hackers breached the network sometime around Sept. 13 and stole the corporate passwords for every Times employee, using them to gain access to the personal computers of 53 employees, according to the report.
The hacking coincided with an investigation the Times published last October that looked into a fortune that the family of China’s Prime Minister Wen Jiabao had amassed. The hackers breached the network while the paper was in the process of concluding its reporting for the investigation.
The hackers broke into the email account of the newspaper’s Shanghai bureau chief, David Barboza, who conducted the investigation, as well as the email account of Jim Yardley, the paper’s South Asia bureau chief in India, who had previously worked out of Beijing.
Executive Editor Jill Abramson said, however, that forensic experts with Mandiant, the computer security firm hired to investigate the breach, found “no evidence that sensitive e-mails or files from the reporting of our articles about the Wen family were accessed, downloaded or copied.”
It’s not the first time that the paper has been hacked. In 1998, a group known as HFG — or H4acking for Girl13z — hacked the paper’s web site to protest the arrest of hacker Kevin Mitnick and accuse Times reporter John Markoff of helping to catch him.
In 2002, former hacker Adrian Lamo, famously hacked the paper’s network after discovering multiple vulnerabilities and accessed a database containing the details of 3,000 contributors to the paper’s op-ed page, among other things.
In 2011, former executive editor of the Times, Bill Keller, hinted that WikiLeaks or someone associated with the group had hacked into the accounts of some of the paper’s staff. During a period of heightened tension between WikiLeaks founder Julian Assange and the paper, which was then a publishing partner of WikiLeaks, the e-mail accounts of at least three people at the Times were apparently hacked. Keller suggested that Assange and WikiLeaks were behind the intrusions but never offered evidence to support this.
In the latest hack, the attackers, in an attempt to hide their tracks, routed their attacks through computers that they hacked at universities in North Carolina, Arizona, Wisconsin and New Mexico, as well as at small companies and internet service providers. They apparently used the same university computers that hackers working for the Chinese military used previously to attack Defense Department contractors.
During the three months they were in the paper’s network, the attackers installed 45 pieces of custom malware, though nearly all of it went undetected. Although the newspaper uses antivirus products made by Symantec, the monitoring software identified and quarantined only one of the attacker’s tools during that time, according to the report.
The attackers increased their activity in late October after the paper published its investigation of the prime minister’s relatives, and were also particularly active the night of the Nov. 6 presidential election.
The paper noted that there were concerns the hackers would try to shut down its publishing system that night, but they turned out to be unwarranted since the attackers apparently showed interest only in the paper’s reporting about the prime minister’s family.
“They could have wreaked havoc on our systems,” said Marc Frons, the Times’s chief information officer said in the report. “But that was not what they were after.”
The Times had been on alert for suspicious activity after learning that Chinese officials had warned that the paper’s reporting would have consequences. The paper asked AT&T, which monitors its network, to be on the lookout for suspicious activity.
After AT&T reported finding such activity, the FBI was notified, and the Times called in Mandiant to investigate.
Evidence showed that the hackers installed three backdoors and routed their way through the network for two weeks before uncovering a system containing the computer usernames and hashed passwords for all of the paper’s employees. The hackers apparently cracked a number of passwords to gain entry to employee computers.
“They created custom software that allowed them to search for and grab Mr. Barboza’s and Mr. Yardley’s e-mails and documents from a Times e-mail server,” the paper revealed.
The intrusion is apparently part of a wider campaign directed by Chinese hackers against western media outlets since 2008. Hackers from China also attempted to hack into the network of Bloomberg News last year after publishing stories about the relatives of China’s vice president.
Mandiant has investigated many of the breaches and found evidence that Chinese hackers had stolen e-mails, contact lists and files from more than 30 journalists and executives working for western media outlets.