Sophos Cloud Optix
The New York Times has reported that for the last four months Chinese hackers have been infiltrating its networks, broken into the email accounts of senior staff, stolen the corporate passwords for every Times employee and used those to gain access to the personal computers of 53 employees.
According to the report, the first attack came in mid-September 2012 as the newspaper prepared to publish an investigation into the family of Chinese prime minister Wen Jiabao, who are said to have accumulated billions of dollars through business dealings.
Malware was planted on users’ computers which opened backdoors for the hackers to gain remote access to connected systems – including a domain controller that contained usernames and hashed passwords for all of the New York Times’ employees.
The hackers were said to have broken into the email accounts of Shanghai bureau chief David Barboza – the reporter who had written the reports of Wen’s relatives – and Jim Yardley, who previously worked as the paper’s bureau chief in Beijing.
However, Jill Abramson, executive editor of the New York Times, was quoted as saying that experts had found “no evidence that sensitive emails or files from the reporting of our articles about the Wen family were accessed, downloaded or copied”.
Of course, no evidence doesn’t mean that such information definitely wasn’t taken. After all, the hackers might have been able to cover their tracks if stealing such sensitive information.
You can understand why people who might have provided information for the investigation into Wen Jiabao’s family would want to be reassured that their identities had not been revealed to whoever was behind the hack. However, the newspaper is adamant that David Barboza’s research into the family’s business interests was based on public records.
In all, 45 custom-written malware samples are said to have been found on the network.
Security experts brought in by the newspaper have pointed the finger of blame at China. And, in all likelihood, they’re right.
However, it must be remembered that it is extremely difficult to prove who is behind an internet attack like this. That’s because it’s so easy to use compromised computers around the world to route attacks through – disguising the true origin.
Of course, even if China is identified as the starting point of an attack – it doesn’t necessarily prove that it the operation is backed by the Chinese government or intelligence services. It could just as easily be a patriotic group of skilled, independent Chinese hackers upset with how the Western media is portraying their country’s rulers.
But let’s not be too naive… In all probability, the New York Times’s conclusion is correct, and this attack was sanctioned by the powers that be in Beijing.
Further reading: A short history of hacking attacks against the media.
Careful what you say about the Chinese Gov't. You could be the next one they hack
This isnt the first one………………..or the last!
As if the U.S. isn't knee-deep in every computer system in America, spying on every email and text message sent. Oh right, that's for your own good. I forgot.
My guess is that the Chinese are too smart to leave tracks like this, at least the ones who hack for the government. Perhaps the tracks were left by someone else, hoping to incriminate China. Seems it worked.
I thought the only point of hacking into the New York Times was to see if you could change the headlines to something hilarious.
Tiptoeing around the issue of attribution makes me sick. I'm so happy that Graham wrote that last paragraph in his post.
The fingerprints of the Chinese hacking groups ("Comment" group and others) has been so well tracked and so well documented now that it should no longer be necessary to painstakingly point out that proof of attribution is virtually impossible to prove.
Yes, any single individual case is impossible to prove but isn't it high time to stand up and point a finger, saying,
"Look at the pattern of activity over the last few years and try explaining all that away!"
China is hacking US companies like crazy. The US is most likely reciprocating (when it takes time away from malware attacks against the Middle East). Any "comment" to the contrary is simply — as Graham puts it — naive.
45 DIFFERENT custom written malware executables? This was a military style assault on the electronic infrastructure of the Times. This wasn't a couple of script kiddies messing around somewhere where they shouldn't be. This was an all out attack by skilled cyber soldiers.
To say the malware samples are "custom-written" is too vague. Are they just some malware variants? Malware variants are all different, and with different MD5 signatures, but are they really qualified as "custom-written?' Their differences might just be the number of (for example) "NOP" statements inserted to fool those antivirus software. I think the antivirus software's inability to detect new malware should be well known by now. Just kidding:)
And according to Symantec's Internet Security Threat Report, vol. 17, "403 million new variants of malware were created in 2011," so 45 different malware samples really are no big deal, right?
If the 45 malware samples exploit dozens of zero-day vulnerabilities, now that's impressive. But that's not going to happen. Even the Stuxnet malware (said to be developed by two technology advanced countries) contained only 4 zero-day attacks. If the malware sample found in NY Times had any zero-day attack, they would have made a fuss over it.