Since an October 25th story exposing the lucrative business dealings of Chinese Prime Minister Wen Jaiabo, the New York Times has been battling constant attacks from the country's hackers. The Times has been fending off the attacks for four months with the help of security experts, who say the methods used by attackers are similar to those of the Chinese military in the past. They targeted the South Asia burea chief along with Shanghai bureau chief, David Barboza, who wrote the report about Wen's family.“Computer security experts found no evidence that sensitive e-mails or files from the reporting of our articles about the Wen family were accessed, downloaded or copied,” said executive editor Jill Abramson.
After The Times learned of warnings from Chinese government officials that its investigation of the wealth of Mr. Wen’s relatives would “have consequences,” executives on Oct. 24 asked AT&T, which monitors The Times’s computer network, to watch for unusual activity.
On Oct. 25, the day the article was published online, AT&T informed The Times that it had noticed behavior that was consistent with other attacks believed to have been perpetrated by the Chinese military.
The Times notified and voluntarily briefed the Federal Bureau of Investigation on the attacks and then — not initially recognizing the extent of the infiltration of its computers — worked with AT&T to track the attackers even as it tried to eliminate them from its systems.
But on Nov. 7, when it became clear that attackers were still inside its systems despite efforts to expel them, The Times hired Mandiant, which specializes in responding to security breaches. Since learning of the attacks, The Times — first with AT&T and then with Mandiant — has monitored attackers as they have moved around its systems.
Hacker teams regularly began work, for the most part, at 8 a.m. Beijing time. Usually they continued for a standard work day, but sometimes the hacking persisted until midnight. Occasionally, the attacks stopped for two-week periods, Mandiant said, though the reason was not clear.
Investigators still do not know how hackers initially broke into The Times’s systems. They suspect the hackers used a so-called spear-phishing attack, in which they send e-mails to employees that contain malicious links or attachments. All it takes is one click on the e-mail by an employee for hackers to install “remote access tools” — or RATs. Those tools can siphon off oceans of data — passwords, keystrokes, screen images, documents and, in some cases, recordings from computers’ microphones and Web cameras — and send the information back to the attackers’ Web servers.
Michael Higgins, chief security officer at The Times, said: “Attackers no longer go after our firewall. They go after individuals. They send a malicious piece of code to your e-mail account and you’re opening it and letting them in.”
Although China has denied the attacks, security experts say that "by routing attacks through servers in other countries and outsourcing attacks to skilled hackers, the Chinese military maintains plausible deniability."
“If you look at each attack in isolation, you can’t say, ‘This is the Chinese military,’ ” said Richard Bejtlich, Mandiant’s chief security officer.
When hackers use similar techniques and patterns, it's a sign that they're either the same hackers or affiliated, according to Bejtlich.
“When you see the same group steal data on Chinese dissidents and Tibetan activists, then attack an aerospace company, it starts to push you in the right direction,” he said.