New York Times computer network breached by Chinese hackers, paper says

The computers of 53 employees were accessed and several email accounts were compromised, the paper reported

Hackers from China breached the computer network of The New York Times and stole passwords that allowed them to gain access to computers and email accounts for a period of four months, the newspaper reported late Wednesday.

The initial intrusion happened sometime around Sept. 13 while the Times reporters were working on a story about the multibillion-dollar fortune accumulated by relatives of China's Prime Minister Wen Jiabao, the Times report said.

It's not clear how hackers originally gained access to the Times' network, but computer forensics experts from IT security firm Mandiant, which was contracted to investigate the incident, believe that the organization's employees might have been targeted via spear phishing -- an attack technique that involves sending specifically crafted email messages with malicious links or attachments.

The hackers' activity on the network increased after the story about the Chinese prime minister's relatives and their wealth was published in late October, the Times said. The newspaper was aware of warnings from Chinese officials that investigating Wen's relatives would have consequences, the Times said.

AT&T was asked by the Times to monitor its computer network for suspicious activity and started seeing behavior consistent with cyberattacks believed to be associated with the Chinese military on Oct. 25. After learning of this activity, the Times briefed the FBI and tried to eliminate the attackers from its systems.

However, on Nov. 7 it became clear that the hackers still had a foothold on some of the systems and the newspaper contracted Mandiant. This marked the beginning of a larger investigation that involved monitoring how the attackers moved around the network for several months in order to learn their habits and discover all backdoors they might have installed.

The Mandiant investigators established that the hackers had stole usernames and password hashes for all Times employees from the network's domain controller and used them to gain access to the computers of 53 employees.

The hackers were also able to access the email accounts of David Barboza, the Times' Shanghai bureau chief who wrote the story about Wen Jiabao's relatives, and Jim Yardley, the Times' South Asia bureau chief in India.

The main target of the attackers appears to have been Barboza's email correspondence and documents related to the investigation he performed for that story, the Times report said. Marc Frons, the Times' chief information office, said that the hackers could have wreaked havoc on the organization's systems, but they were not interested in doing that.

Mandiant's investigators believe the attackers are part of a known Chinese hacker group specialized in APT (advanced persistent threat) attacks that previously targeted other Western organizations and American military contractors. The group routed their attacks through compromised computers owned by universities in North Carolina, Arizona, Wisconsin and New Mexico, as well as computers owned by small U.S. companies and Internet service providers.

The attacks might be part of a larger campaign targeting journalists, the Times said, citing a December intelligence report from Mandiant that mentioned APT-style attacks against 30 journalists and executives at Western news outlets.

Mandiant did not immediately respond to a request for more information about the attacks.

According to the Times report, Mandiant investigators determined that hackers used 45 pieces of custom malware in the attacks against the New York Times over three months, but only one of them was detected by the antivirus products from Symantec used by the newspaper on its systems.

Advanced attacks like the one described in the New York Times article "underscore how important it is for companies, countries and consumers to make sure they are using the full capability of security solutions," Symantec said Thursday in a statement sent via email.

"The advanced capabilities in our endpoint offerings, including our unique reputation-based technology and behavior-based blocking, specifically target sophisticated attacks," the company said. "Turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats. We encourage customers to be very aggressive in deploying solutions that offer a combined approach to security. Anti-virus software alone is not enough."

News of this attack comes on the heels of a recent debate among security and antivirus experts regarding the efficiency of desktop antivirus products at detecting new threats that don't have a widespread distribution, like the type of malware used in APT attacks. The discussion was prompted by a study released by security firm Imperva in December, which concluded that newly created threats have an initial antivirus detection rate of under 5 percent.

Even though the methodology used in the study was heavily criticized as being flawed and inaccurate, some experts strongly believe that desktop antivirus products are incapable of detecting the custom malware used today in targeted attacks against organizations.

"From my own experience, within corporate/enterprise networks, desktop antivirus detection typically hovers at 1-2% for the threats that make it through the various network defenses," Gunter Ollmann, the chief technology officer at security consultancy firm IOActive said earlier this month in a blog post. "For newly minted malware that is designed to target corporate victims, the rate is pretty much 0% and can remain that way for hundreds of days after the malware has been released into the wild."

Join the CSO newsletter!

Error: Please check your email address.

Tags Impervasymantecsecuritydata breachDesktop securityMandiantspywaremalwareIOActiveintrusion

More about APTFBIImpervaSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place