New York Times Attacked by Chinese Hackers – Every Password Stolen [VIDEO]
By David Gilbert | January 31, 2013 9:15 PM EST
For the last four months, Chinese hackers have been infiltrating the New York Times' internal network, stealing the passwords of reporters and other employees.
Late on Wednesday evening, the New York Times reported the security breach, saying the initial hack had occurred around the 13 September. Having discovered the attackers, the Times then secretly tracked the intruders' activities to study their movements and help implement better defences in the future.
"The Times and computer security experts have expelled the attackers and kept them from breaking back in," the report said. The password of every single Times employee was stolen according to the report with 53 personal computers compromised - most of them outside the newsroom.
The New York Times claims the attack coincided with a report published online on 25 October which said relatives of China's prime minister Wen Jiabao had accumulated a multi-billion dollar fortune through business dealings.
While passwords may have been compromised, the Times says there is no evidence that other information was stolen. "Computer security experts found no evidence that sensitive e-mails or files from the reporting of our articles about the Wen family were accessed, downloaded or copied," said Jill Abramson, executive editor of The Times
Having identified the breach, the Times brought in outside security experts Mandiant, who examined the methods used by the attackers. According to the security experts hired by the Times, the method of attack used has previously been associated with the Chinese military..
The hackers tried to put the security experts off the scent by routing the attacks through computers at universities in the United States, which is again a method known to be used by hackers based in China, according to Mandiant.
Further links to China were found in the malware used to gain control of the computers within the Times network, which was a variant of malware previously used in attacks originating in China.
The Times confronted China's Ministry of National Defence with the evidence of an attack coming from China, but a spokesperson rebuffed the allegation as "baseless."
"Chinese laws prohibit any action including hacking that damages Internet security. To accuse the Chinese military of launching cyber-attacks without solid proof is unprofessional and baseless."
The attack on the New York Times, and a previous attack on Bloomberg last June, are not isolated incidents however. Mandiant said that over the course of several investigations it found evidence that Chinese hackers had stolen emails, contacts and files from more than 30 journalists and executives at Western news organizations
"The intelligence-gathering campaign, foreign policy experts and computer security researchers say, is as much about trying to control China's public image, domestically and abroad, as it is about stealing trade secrets," the Times reported.
These attacks are only one part of the growing trend of cyber-espionage among nation-states who are deploying cyber-weapons, such as Flame, to collect huge amounts of sensitive data on other states. The US, Russia, Israel and Iran among others are all believed to be actively involved in cyber-espionage.
The US and Israel are believed to be behind the Stuxnet and Flame attacks on systems in Iran, while Iran itself is believed - by some - to be behind persistent attacks on US banks over recent months.
Mandiant have been unable to pinpoint the exact method of infiltration into the Time systems, but it is believed that a highly-targeted spear-phishing attack, targeting one Times employee. It only takes one employee to click on a link or download a document which is malicious for the hackers to infect the target's PC.
Michael Higgins, chief security officer at The Times, said: "Attackers no longer go after our firewall. They go after individuals. They send a malicious piece of code to your e-mail account and you're opening it and letting them in."
Although it first identified a breach in the system as far back as October, the Times said it allowed the hackers to "spin a digital web for four months" in order to identify every vulnerability in the system and prevent it from happening again.
While it was October when the breach was identified - following warnings from China - the initial breach occurred around 13 September, when the reporting for the Wen article was nearing completion.
The Times said it uses anti-virus software from Symantec, but of the 45 pieces of custom malware installed by the hackers, only one was flagged by the Symantec software. While Symantec wouldn't comment on the issue, this highlights the trouble anti-virus companies are facing when attempting to combat the wave of new malware being discovered on a daily basis.
Mandiant claims this is far from an isolated incident of Chinese hackers attacking western organisations, with the company currently monitoring around 20 groups of China spying on organisations in the US and around the globe.
The group which it believes carried out the attack on the New York Times, is also being tracked by US mobile network AT&T and the FBI, and is according to Mandiant, "very active" having broken into hundreds of other Western organisations, including several American military contractors.
To report problems or to leave feedback about this article, e-mail:
To contact the editor, e-mail:
Join the Conversation
Host 'subweb.ibtimes.com' is not allowed to connect to this MySQL serverSELECT latest_id FROM site_artdata WHERE type='ib_articles_day2ago' Host 'subweb.ibtimes.com' is not allowed to connect to this MySQL serverSELECT tid as num FROM biztimes_stats.stats_articles_au_pop WHERE maincat_id='6' AND outkey='Y' AND tid> ORDER BY hits DESC LIMIT 15Host 'subweb.ibtimes.com' is not allowed to connect to this MySQL serverSELECT article_id as num FROM ib_categories_index WHERE tid=6 ORDER BY article_id DESC LIMIT 5
Host 'subweb.ibtimes.com' is not allowed to connect to this MySQL serverSELECT latest_id FROM site_artdata WHERE type='ib_articles_day2ago' Host 'subweb.ibtimes.com' is not allowed to connect to this MySQL serverSELECT tid as num FROM biztimes_stats.stats_articles_au_pop WHERE (maincat_id='1' OR maincat_id='2' OR maincat_id='6' OR maincat_id='7' OR maincat_id='9' OR maincat_id='24') AND local_id='0' AND typology_id<'11' AND tid> AND outkey_all='Y' ORDER BY hits DESC LIMIT 17Host 'subweb.ibtimes.com' is not allowed to connect to this MySQL serverSELECT * FROM table_info WHERE table_name='ib_articles' LIMIT 1Host 'subweb.ibtimes.com' is not allowed to connect to this MySQL serverSELECT id as num FROM ib_articles ORDER BY id DESC LIMIT 5