The New York Times has published a wild account of a four month-long hack, reportedly originating in China, that compromised its computer systems and targeted its reporters. The report suggests that the attack may have been politically motivated, and that it may have been conducted by the Chinese military. The hack has since been shut down, but several important questions remain unanswered.
The Times says that it received warnings from Chinese government officials in response to an investigation into the wealth of prime minister Wen Jiabao's relatives. Following the warnings, the publication asked its ISP — AT&T — to monitor its network for attacks. The Times says that on October 25th, the day its investigation was published, AT&T notified it of an attack consistent with others "believed to have been perpetrated by the Chinese military." When the Times and AT&T could not repel the attack, a private security firm named Mandiant was hired.
The Times journalist behind the investigation was a principal target
The report says that a forensic analysis of the attack reveals that it was targeted at the journalist involved in the investigation of Mr. Wen. The Times suggests that the hackers may have been trying to uncover sources for its investigation; it says "experts found no evidence that the intruders used the [cracked] passwords to seek information that was not related to the reporting on the Wen family." The Times says that the attack that affected it, and similar attacks against several other American news media companies and other organizations, suggests that there is a "far-reaching spying campaign" intended to control China's public image.
The attackers installed 45 pieces of custom malware
The Times says the hackers may have utilized a spear-phishing attack that gave them a back door into three machines, beginning on September 13th, when the report on Wen's family was "nearing completion." The hackers reportedly scouted the NYT's systems for weeks, before cracking passwords and infiltrating dozens of other computers. The Times reports that attackers installed 45 pieces of custom malware, and that Symantec (its antivirus software of choice) only quarantined an attacker's malware in one instance.
While evidence that the Chinese military is behind the attack is not said to be conclusive, the Times notes that several signs point to a military intrusion. For instance, the attackers are said to have used computers from universities in North Carolina, Arizona, Wisconsin, and New Mexico to cover their tracks — a tactic that Mandiant says closely matches other attacks traced to China.
The Times says that for now it appears to be safe, but it anticipates that it will be targeted by more attacks in the future.