NYT: China hacked us for four months

posted at 8:31 am on January 31, 2013 by Ed Morrissey

Hackers in China spent four months sneaking up on its cybertarget, exploiting American universities to mask their approach, all to penetrate … the New York Times?  That’s what the Gray Lady reports today, although claiming that nothing of importance was stolen.  The hunters became the prey soon enough, Nicole Perlroth writes:

For the last four months, Chinese hackers have persistently attacked The New York Times, infiltrating its computer systems and getting passwords for its reporters and other employees.

After surreptitiously tracking the intruders to study their movements and help erect better defenses to block them, The Times and computer security experts have expelled the attackers and kept them from breaking back in.

The timing of the attacks coincided with the reporting for a Times investigation, published online on Oct. 25, that found that the relatives of Wen Jiabao, China’s prime minister, had accumulated a fortune worth several billion dollars through business dealings.

According to the article, the hackers installed malware that eventually found its way onto every computer on the NYT network.  They collected all of the passwords in order to access files stored outside of the network servers.  The hackers spent four months rifling through the Paper of Record’s records.  And the only thing that interested them was the sources for their reporting on Wen?

That sounds a little odd, although it’s plausible.  Authoritarian regimes tend to overreact to criticism and do strange things; certainly, Joseph Stalin and Saddam Hussein exemplified the extreme end of that behavior, and they’re hardly alone in it.  But this had to have taken a lot of resources and risked exposing cyberwarfare strategies that China might have preferred to keep under wraps for somewhat more lucrative targets.

According to the Times, they didn’t even bother going after financial records of customers or staff:

Security experts found evidence that the hackers stole the corporate passwords for every Times employee and used those to gain access to the personal computers of 53 employees, most of them outside The Times’s newsroom. Experts found no evidence that the intruders used the passwords to seek information that was not related to the reporting on the Wen family.

No customer data was stolen from The Times, security experts said.

For its part, China calls the accusation “unprofessional and baseless.”  If this report is true, it sounds as though China conducted a rather unprofessional bit of cyberwarfare for baseless value.


Related Posts:

Breaking on Hot Air

Blowback

Note from Hot Air management: This section is for comments from Hot Air's community of registered readers. Please don't assume that Hot Air management agrees with or otherwise endorses any particular comment just because we let it stand. A reminder: Anyone who fails to comply with our terms of use may lose their posting privilege.

Trackbacks/Pings

Trackback URL

Comments

So that’s where Tom Friedman’s op-eds are coming from.

rhombus on January 31, 2013 at 8:32 AM

Thomas Friedman hardest hit.

Bitter Clinger on January 31, 2013 at 8:33 AM

Finally!
A logical explanation for why the NYT reads more like Pravda in the 1960′s!

VelvetElvis on January 31, 2013 at 8:36 AM

Don’t worry, DOD and State will stop it right after coffee.

Limerick on January 31, 2013 at 8:36 AM

The Chinese are big fans of leftist agitprop. Perhaps they’re looking for pointers on how to improve their technique.

Philly on January 31, 2013 at 8:38 AM

What’s the point of being in the top communist elite if you can’t rip the country off?

OldEnglish on January 31, 2013 at 8:39 AM

The Chinese hackers finally left when they realized the NYT was more communist than they are.

Bishop on January 31, 2013 at 8:41 AM

Even the Chinese got tired of the NYT’s left-wing tripe.

ddrintn on January 31, 2013 at 8:42 AM

Just a dress rehearsal to a much bigger show…

Gatsu on January 31, 2013 at 8:42 AM

According to the Times, they didn’t even bother going after financial records of customers or staff:

Too much red there.

ddrintn on January 31, 2013 at 8:43 AM

Did the use the Menendez method? ;-) Hmm….. nah, NYT ain’t exactly underage.

tommy71 on January 31, 2013 at 8:43 AM

For its part, China calls the accusation “unprofessional and baseless.”

Well, that is an accurate description of the Times.

ddrintn on January 31, 2013 at 8:44 AM

I have a linux bastion server at home, and, for several years, the Chinese (or someone/someones using IP blocks from China) have been persistently trying to guess my ssh logins and access my squid cache server.

Whenever I pinged them, they’d stop.

About a week ago, they stopped using China based IP addresses and instead began using a machine they’ve taken over on the same local subnet (from my ISP’s side) that my server is on to do the same things they’ve been doing directly — as a bent pipe.

So now, on the WAN side of my bastion, I was seeing 192.168.x.x addresses show up.

I have no idea why my server fascinates them so, but it does.

unclesmrgol on January 31, 2013 at 8:45 AM

For its part, China calls the accusation “unprofessional and baseless.”

China or NYT? I’m not sure who to believe on this one.

forest on January 31, 2013 at 8:47 AM

What’s their plan? The Chinese don’t take a dump without a plan, son. /Admiral Painter

JohnTant on January 31, 2013 at 8:48 AM

After surreptitiously tracking the intruders to study their movements and help erect better defenses to block them, The Times and computer security experts have expelled the attackers and kept them from breaking back in.

LOL. Yeah, that’s what they did.

Dusty on January 31, 2013 at 8:48 AM

That’s nothing – the Soviet Union owned them between the 1930s and the Soviet Union’s fall.

Steve Eggleston on January 31, 2013 at 8:49 AM

LOL. Yeah, that’s what they did.

Dusty on January 31, 2013 at 8:48 AM

I’m betting they don’t know how to describe to their readers a honeypot farm.

unclesmrgol on January 31, 2013 at 8:52 AM

NYT: China hacked us for four months

There are a whole lot of typing errors in the title. “Us” should be capitalized because it’s an abbreviated country name, “months” should read as “years”, and the the first two letters in the word “hacked” are also wrong.

Archivarix on January 31, 2013 at 8:54 AM

That’s nothing – the Soviet Union owned them between the 1930s and the Soviet Union’s fall.

Steve Eggleston on January 31, 2013 at 8:49 AM

The Soviet Union never fell. They just went legit. Now they’re in Congress and the White House.

Cleombrotus on January 31, 2013 at 8:55 AM

Maybe they weren’t hacking to get information OUT but to get information IN.

TimBuk3 on January 31, 2013 at 8:57 AM

NYT: China hacked us for four months

Progressives have hacked this paper “of record” for decades.

The only people that care at this point about this rag are the Starbucks crowd and the Ruling Classers in the Devils triangle of NYC/DC and the Hamptons.

PappyD61 on January 31, 2013 at 9:00 AM

The Soviet Union never fell. They just went legit. Now they’re in Congress and the White House.

Cleombrotus on January 31, 2013 at 8:55 AM

Those are Troskyites in the WH/Congress. Besides, the Soviets underwent a 8-year reorganization plan and emerged with Mad Vladmir Putin at the helm and without the Baltic states.

Steve Eggleston on January 31, 2013 at 9:03 AM

@unclesmrgol on January 31, 2013 at 8:45 AM

You may want to look at things a little closer.
You said WAN side, and then referenced IP address 192.168.x.x
That is a private block of IPs, and therefore is not routable over the internet…..so if you are seeing that IP address pop up, then it is most likely internal to your network.
Any of block of IPs are not routable over the internet.
10.x.x.x -> Class A private
172.16.x.x -> Class B Private
192.168.x.x -> Class C private.

I am a network admin for a small company we see a bunch of IPs from China.

I just block them at our router.

MityMaxx on January 31, 2013 at 9:04 AM

Payback for all the good press the NY Times (and Walter Duranty) gave Uncle Joe Stalin.

Anyone else enjoying the 4 browser crashes and 25 minutes it’s taking me to sign on to HotAir?

The usual suspects are crashing the browser usually by creating a bottomless memory hole: choices.truste, w55c, voice.five and googleads.

viking01 on January 31, 2013 at 9:10 AM

To “borrow” Resist We Much’s bit…

M2RB – Pink Floyd, “Bran Damage/Eclipse”

The lunatic is in the hall.
The lunatics are in my hall.
The paper holds their folded faces to the floor,
And every day the paper boys brings more.

Steve Eggleston on January 31, 2013 at 9:12 AM

As good world citizens, I’m sure Times managers realize that all the NYT records belong to all, as led by the party, and erecting barriers to entry is a counter-revolutionary act. Next thing to happen will be fines against the NYT from the Justice Department, followed by self-criticism and, eventually, banishment to farm cadres for re-education.

MTF on January 31, 2013 at 9:12 AM

Hmm… I’m thinking that they’re fishing for the NYT’s ‘sources’.

(Considering how often the Times’ gets secret/confidential info slipped to them… discovering who the ‘leakers’ are is first-rate blackmail material.)

CPT. Charles on January 31, 2013 at 9:17 AM

nothing of importance was stolen.

Just damn.

I was breathlessly waiting for “The Frank Rich Papers.”

Del Dolemonte on January 31, 2013 at 9:29 AM

it sounds as though China conducted a rather unprofessional bit of cyberwarfare for baseless value

…aw come on NYT’s!…help a brother out!

KOOLAID2 on January 31, 2013 at 9:31 AM

Now all of those crazy Krugman articles make a bit more sense.

emz35 on January 31, 2013 at 9:32 AM

Hacked in, saw everything was fine, and left.

Irritable Pundit on January 31, 2013 at 9:37 AM

That’s what the Gray Lady reports today, although claiming that nothing of importance was stolen.

That’s because the NY Times has nothing of importance anymore. William Safire & Russell Baker are dead.

rbj on January 31, 2013 at 10:05 AM

I thought they sounded slightly less Communist than usual for a while there…

Gingotts on January 31, 2013 at 10:07 AM

[unclesmrgol on January 31, 2013 at 8:52 AM]

Probably not. I’m a long shot from this field but I recognize those who are by what they say and write, and the one who wrote this wouldn’t be able to:

After surreptitiously tracking the intruders to study their movements and help erect better defenses to block them, The Times and computer security experts have expelled the attackers and kept them from breaking back in.

Dusty on January 31, 2013 at 10:08 AM

Where’s the love for the dictatorial regime NYT? Come on. Don’t be such a baby. Get Friedman to write an article on how America should be more like the Chinese.

Charm on January 31, 2013 at 10:11 AM

I thought they sounded slightly less Communist than usual for a while there…

[Gingotts on January 31, 2013 at 10:07 AM]

Their Arts and Style sections were more interesting, too.

Dusty on January 31, 2013 at 10:12 AM

My first reaction to the NYT’s story is that the Wen excuse is a cover. Their real intent is to alert all of their reporters’ confidential sources that they may have been compromised.

The NYT developed a pretty good (as in despicable, near traitorous from our perspective) network of government sources during the Bush years; remember all the classified tidbits and operations that were blown? Picture this scenario:

The scene opens on a Washington DC Starbucks where a mid-level State Department bureaucrat, female, married with two kids, is having a vanilla latte when she’s approached by an Asian American who blends in with all the other customers. He’s actually an “illegal” with the PRC’s Ministry of State Security. In perfect unaccented English he says to her, “We know you’ve talked to the New York Times. How about talking to us, or would your husband and children prefer we talk to your boss?”

From an operational concept, hacking a left-wing, generally anti-American domestic newspaper is a wonderful way of finding intelligence sources to exploit.

allanbourdius on January 31, 2013 at 10:14 AM

Authoritarian regimes tend to overreact to criticism and do strange things …

NYT, criticizing an authoritarian regime? Really? When?

That’s weapon grade funny right there.

/OK, they did go after Bush pretty hard, but other than that ….

AZfederalist on January 31, 2013 at 10:24 AM

From an operational concept, hacking a left-wing, generally anti-American domestic newspaper is a wonderful way of finding intelligence sources to exploit.

allanbourdius on January 31, 2013 at 10:14 AM

I think you have nailed it. That would be a treasure trove of compromised sources that would be easy to exploit. After all, they betrayed their confidence to one group of marxists, getting them to betray more, for money, to a different group of marxists would be an easy next step, especially when leverage through blackmail is applied.

/let’s face it, that’s about the only thing of value that NYT has, it certainly has no trade secrets for producing a popular, widely read, non-partisan newspaper.

AZfederalist on January 31, 2013 at 10:28 AM

It took them four months to figure out because it took four months for the Chi-Comms to find an editorial decision they didn’t agree with.

phreshone on January 31, 2013 at 10:34 AM

My question is, why did the Chinese even need to?

Chuckles3 on January 31, 2013 at 11:22 AM

I just block them at our router.

MityMaxx on January 31, 2013 at 9:04 AM

I spoke correctly. Remember, the ISP itself has placed my computer on a subnet. The 192.168.x.x addresses are coming from my WAN side adapter. That implies another computer on the ISP’s subnet has been compromised. It’s the same MAC address every time, and that address matches nothing I know about. I’m not stupid — I am NOT running both wan and lan out the same adapter.

My bastion server IS my router. The outward facing NIC has absolutely NO Chinese produced parts in it — it’s an old “Made in USA” 100Mb/S card, so I know they will find it very difficult to activate any hidden microcode. Given that my throughput maxes out at 24Mb/s, I think I have a few years before I have to think about replacing the card.

I have IPTABLES blocking all of the private class addresses and logging them to prevent injection. That’s how I know the attack patterns. Also, squid is only accessible from 127.x.x.x addresses and firewalled off by IPTABLES (with logging) from my outbound adapter so they certainly are NOT going to get to its port unless they penetrate the box. Finally, ssh is rate-limited (again by IPTABLES) so they are allowed three logged tries per hour — good luck finding out any password of interest. Of course, they are trying “root” with each attempt, but my ssh is configured to not allow root logins. The Russians used to try random passwords and random userids from a dictionary, but they haven’t tried this stuff in years — I guess they found that Windows boxes were far more hospitable…

Oh, and the IPTABLES default policy is DROP — so I’m sure that’s annoying them by increasing their use of socket descriptor resources on each asset they deploy.

And if they should get past all of that, I’ve got a containerized SELINUX security policy waiting for them, and a set of IPTABLES rules on the INSIDE adapters (including the 127 address group) designed to keep my kids from doing things with their gaming boxes that I don’t know about.

These are the interesting documents for those of you who want to duplicate this kind of behavior. Sadly, the only version of the NSA document is for RHEL5:

http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf

https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/pdf/Security-Enhanced_Linux/Red_Hat_Enterprise_Linux-6-Security-Enhanced_Linux-en-US.pdf

It’s interesting to know that others are seeing this same behavior from the Chinese. They must have petabytes of silo to be hacking this widely.

unclesmrgol on January 31, 2013 at 11:25 AM

Probably not. I’m a long shot from this field but I recognize those who are by what they say and write, and the one who wrote this wouldn’t be able to:

Dusty on January 31, 2013 at 10:08 AM

Not knowing the particulars, you may be right. But if I were the NYT administrators, and I detected an intrusion which had succeeded on one computer, I’d have the pros imbed that computer into a virtual honeypot farm with all sorts of “goodies” to induce further intrusion attempts and to determine what other weapons the assailants might have in their quivers.

I don’t think the NYT is stupid — they certainly would not let the Chinese run rampant over their network while they watched. I know that’s what they claimed they did, but I think they are shading the truth quite a bit to hide their technical resources.

Of course, if I were a Chinese source, I’d believe as you do — take the NYT at face value — and never talk directly to them. But I’m also willing to bet that the NYT interviewed few Chinese– rather, they used internet information they gleaned from inside the great firewall to write their articles. The Chinese may have been looking for internal IPs so they can improve the great firewall and censor their ISPs more carefully.

Who knows? Only they do.

unclesmrgol on January 31, 2013 at 11:36 AM

I am not sure who to laugh at more…the NYT for being hacked, or the Chinese for hacking them. All the Chinese needed to do was ask? LOL!

The Chinese were probably trying to find out who leaked the info, or they just wanted to make sure Tom Friedman was keeping up his propaganda efforts.

William Eaton on January 31, 2013 at 12:03 PM

nothing of importance was stolen

We could have saved them the time and told them this right away.

kim roy on January 31, 2013 at 12:22 PM

The Times can now blame the Chinese for being a cheerleader for the Democrats in Washington. “We aren’t hypocrites, the Chinese changed our stories before they went to print.”

djaymick on January 31, 2013 at 12:28 PM

Funny how these commies don’t really like each other. Or maybe it is just that Chinese communists don’t like traitors of any stripe. Even enemy traitors.

woodNfish on January 31, 2013 at 12:53 PM

@unclesmrgol on January 31, 2013 at 11:25 AM

So your not directly connected to the internet?
Gotcha.
I use Cox for my home ISP, and they put you on the internet directly….

Man, years ago I used to get into Linux and play with IPTables (or was it IPChains?, can’t remember)….
had a blast….
Ran Linux (Redhat dist. I believe) on an old 386.
Ran great and no problems.

Unfortunately now with kids, wife, and other things, I don’t have time to spend with Linux.

MityMaxx on January 31, 2013 at 1:13 PM

unclesmrgol on January 31, 2013 at 11:25 AM

Heh :D

AsianGirlInTights on January 31, 2013 at 1:40 PM

Oh, so, it’s the Chinese that have been writing Krugmann’s columns. I thought it was a bunch of monkeys stuck in a room with typewriters or computers.

talkingpoints on January 31, 2013 at 4:58 PM

The Times can now blame the Chinese for being a cheerleader for the Democrats in Washington. “We aren’t hypocrites, the Chinese changed our stories before they went to print.”

djaymick on January 31, 2013 at 12:28 PM

If you hold your breath until the Slimes prints a corrected edition with the “real” stories, you’re gonna suffocate.

VelvetElvis on February 1, 2013 at 7:38 AM