h******y
发帖数: 1374 | 1 http://www.nytimes.com/2013/01/31/technology/chinese-hackers-in
Hackers in China Attacked The Times for Last 4 Months
By NICOLE PERLROTH
Published: January 30, 2013
SAN FRANCISCO — For the last four months, Chinese hackers have persistently
attacked The New York Times, infiltrating its computer systems and getting
passwords for its reporters and other employees.
Enlarge This Image
The New York Times published an article in October about the wealth of the
family of China's prime minister, Wen Jiabao, in both English and Chinese.
After surreptitiously tracking the intruders to study their movements and
help erect better defenses to block them, The Times and computer security
experts have expelled the attackers and kept them from breaking back in.
The timing of the attacks coincided with the reporting for a Times
investigation, published online on Oct. 25, that found that the relatives of
Wen Jiabao, China’s prime minister, had accumulated a fortune worth
several billion dollars through business dealings.
Security experts hired by The Times to detect and block the computer attacks
gathered digital evidence that Chinese hackers, using methods that some
consultants have associated with the Chinese military in the past, breached
The Times’s network. They broke into the e-mail accounts of its Shanghai
bureau chief, David Barboza, who wrote the reports on Mr. Wen’s relatives,
and Jim Yardley, The Times’s South Asia bureau chief in India, who
previously worked as bureau chief in Beijing.
“Computer security experts found no evidence that sensitive e-mails or
files from the reporting of our articles about the Wen family were accessed,
downloaded or copied,” said Jill Abramson, executive editor of The Times.
The hackers tried to cloak the source of the attacks on The Times by first
penetrating computers at United States universities and routing the attacks
through them, said computer security experts at Mandiant, the company hired
by The Times. This matches the subterfuge used in many other attacks that
Mandiant has tracked to China.
The attackers first installed malware — malicious software — that enabled
them to gain entry to any computer on The Times’s network. The malware was
identified by computer security experts as a specific strain associated with
computer attacks originating in China. More evidence of the source, experts
said, is that the attacks started from the same university computers used
by the Chinese military to attack United States military contractors in the
past.
Security experts found evidence that the hackers stole the corporate
passwords for every Times employee and used those to gain access to the
personal computers of 53 employees, most of them outside The Times’s
newsroom. Experts found no evidence that the intruders used the passwords to
seek information that was not related to the reporting on the Wen family.
No customer data was stolen from The Times, security experts said.
Asked about evidence that indicated the hacking originated in China, and
possibly with the military, China’s Ministry of National Defense said, “
Chinese laws prohibit any action including hacking that damages Internet
security.” It added that “to accuse the Chinese military of launching
cyberattacks without solid proof is unprofessional and baseless.”
The attacks appear to be part of a broader computer espionage campaign
against American news media companies that have reported on Chinese leaders
and corporations.
Last year, Bloomberg News was targeted by Chinese hackers, and some
employees’ computers were infected, according to a person with knowledge of
the company’s internal investigation, after Bloomberg published an article
on June 29 about the wealth accumulated by relatives of Xi Jinping, China’
s vice president at the time. Mr. Xi became general secretary of the
Communist Party in November and is expected to become president in March. Ty
Trippet, a spokesman for Bloomberg, confirmed that hackers had made
attempts but said that “no computer systems or computers were compromised.”
Signs of a Campaign
The mounting number of attacks that have been traced back to China suggest
that hackers there are behind a far-reaching spying campaign aimed at an
expanding set of targets including corporations, government agencies,
activist groups and media organizations inside the United States. The
intelligence-gathering campaign, foreign policy experts and computer
security researchers say, is as much about trying to control China’s public
image, domestically and abroad, as it is about stealing trade secrets.
Security experts said that beginning in 2008, Chinese hackers began
targeting Western journalists as part of an effort to identify and
intimidate their sources and contacts, and to anticipate stories that might
damage the reputations of Chinese leaders.
In a December intelligence report for clients, Mandiant said that over the
course of several investigations it found evidence that Chinese hackers had
stolen e-mails, contacts and files from more than 30 journalists and
executives at Western news organizations, and had maintained a “short list
” of journalists whose accounts they repeatedly attack.
While computer security experts say China is most active and persistent, it
is not alone in using computer attacks for a variety of national purposes,
including corporate espionage. The United States, Israel, Russia and Iran,
among others, are suspected of developing and deploying cyberweapons.
The United States and Israel have never publicly acknowledged it, but
evidence indicates they released a sophisticated computer virus in 2012 that
attacked and caused damage at Iran’s main nuclear enrichment plant. Iran
is believed to have responded with computer attacks on targets in the United
States, including American banks and foreign oil companies.
Russia is suspected of having used computer attacks during its war with
Georgia in 2008.
The following account of the attack on The Times — which is based on
interviews with Times executives, reporters and security experts — provides
a glimpse into one such spy campaign.
After The Times learned of warnings from Chinese government officials that
its investigation of the wealth of Mr. Wen’s relatives would “have
consequences,” executives on Oct. 24 asked AT&T, which monitors The Times’
s computer network, to watch for unusual activity.
On Oct. 25, the day the article was published online, AT&T informed The
Times that it had noticed behavior that was consistent with other attacks
believed to have been perpetrated by the Chinese military.
The Times notified and voluntarily briefed the Federal Bureau of
Investigation on the attacks and then — not initially recognizing the
extent of the infiltration of its computers — worked with AT&T to track the
attackers even as it tried to eliminate them from its systems.
But on Nov. 7, when it became clear that attackers were still inside its
systems despite efforts to expel them, The Times hired Mandiant, which
specializes in responding to security breaches. Since learning of the
attacks, The Times — first with AT&T and then with Mandiant — has
monitored attackers as they have moved around its systems.
Hacker teams regularly began work, for the most part, at 8 a.m. Beijing time
. Usually they continued for a standard work day, but sometimes the hacking
persisted until midnight. Occasionally, the attacks stopped for two-week
periods, Mandiant said, though the reason was not clear.
Investigators still do not know how hackers initially broke into The Times’
s systems. They suspect the hackers used a so-called spear-phishing attack,
in which they send e-mails to employees that contain malicious links or
attachments. All it takes is one click on the e-mail by an employee for
hackers to install “remote access tools” — or RATs. Those tools can
siphon off oceans of data — passwords, keystrokes, screen images, documents
and, in some cases, recordings from computers’ microphones and Web cameras
— and send the information back to the attackers’ Web servers.
Michael Higgins, chief security officer at The Times, said: “Attackers no
longer go after our firewall. They go after individuals. They send a
malicious piece of code to your e-mail account and you’re opening it and
letting them in.”
Lying in Wait
Once hackers get in, it can be hard to get them out. In the case of a 2011
breach at the United States Chamber of Commerce, for instance, the trade
group worked closely with the F.B.I. to seal its systems, according to
chamber employees. But months later, the chamber discovered that Internet-
connected devices — a thermostat in one of its corporate apartments and a
printer in its offices — were still communicating with computers in China. |
|
