TOPICS > Nation

New York Times Computer System Target of Lengthy Chinese Hacking Attack

January 31, 2013 at 12:00 AM EDT
The New York Times fell victim to a four-month cyber attack by Chinese hackers who cracked passwords to more than 50 email accounts, including those of top reporters. Ray Suarez talks with Times reporter Nicole Perlroth and Grady Summers, vice president of the cyber security company hired to investigate the attacks.

JEFFREY BROWN: And finally tonight: the hacking of The New York Times, allegedly by the Chinese.

Ray Suarez has our look.

RAY SUAREZ: The Times revealed late yesterday that its computer system had been the subject of an extensive four-month-long hacking attack.

Editors said hired security experts concluded Chinese hackers cracked the passwords of more than 50 e-mail accounts, including those of top reporters. The Times reported the attacks coincided with an investigation the paper did that found relatives of Wen Jiabao, China’s prime minister, had accumulated billions of dollars through their business dealings.

For more on all this, I am joined by New York Times reporter Nicole Perlroth, who reported the story in today’s paper, and Grady Summers, vice president of Mandiant, the cyber-security company hired by The Times to investigate the breach.

Nicole Perlroth, let’s start with you.

How did the paper realize that it was under attack, and could it immediately move to defend itself?

NICOLE PERLROTH, The New York Times: We were actually — this was a proactive effort by The New York Times. We knew that this story was coming out. We knew that there had been warnings about publication of the investigation into Wen Jiabao’s relatives would — quote, unquote — “have consequences.”

So our security team notified AT&T, which monitors our network full-time, to look out for unusual activity. And we notified them a day before the story published. And the day the story went online, AT&T got back to us and said that they had noticed that at least three of our computers were communicating with command-and-control servers that they knew had perpetrated attacks on other companies before and that they believed were being coordinated by the Chinese military.

RAY SUAREZ: From this monitor, were you able to tell, was the paper able to tell what whoever was doing this was looking for? Were they just rooting around, just showing they could do it? What was the purpose?

NICOLE PERLROTH: Originally, we didn’t know what they were after.

The timing of the attacks with the investigation of the story gave us some sense, but they were very active in the week after we published the story, and especially on election night, on November 6, which led some of my editors to suspect or fear that they might do the worst, which would be take down our print or online publication systems.

But very soon, it was — it became very clear what they were after. We hired Mandiant, who came in and looked at our systems, and it looks as if they spent two weeks once they initially got into our systems in September moving around our systems, until they finally found the domain controller that contains usernames and passwords for every single New York Times employee.

They took those passwords, they cracked them, and they got into 53 of our computers, which it looks like they really used as a launching path — launching pad for the real target of their attacks, which were the e-mail correspondents of David Barbosa, our Shanghai bureau chief, and Jim Yardley, our Beijing bureau chief.

David is the one who wrote the investigation into Mr. Wen’s relatives. And based on what the attackers took, it looks as if they were looking for the sources of David Barbosa’s investigation.

What is ironic about that is, as David has said publicly, the sources for that investigation were not some Deep Throat. It was publicly available documents in China. So we could see the documents that these hackers were taking, and they were not sensitive by any means. There was no Deep Throat. And it was clear that they were after his e-mail correspondence pretty early on in the attacks.

RAY SUAREZ: Grady Summers, was this a particularly sophisticated, technically proficient attack?

GRADY SUMMERS, Mandiant: You know, we find that these attacks are as technically proficient as they need to be in order to break into an organization.

So, in the case we heard about from The New York Times today, it was, I would say, maybe a six or a seven on a scale of one to 10. We certainly see these attackers become very sophisticated when they need to be, and in some cases, simple spear phishing e-mail and some what we would call commodity malware will do the trick.

RAY SUAREZ: How do you work it back so that you know the origin or you believe the origin is in China?


At Mandiant, we try to take an approach that is very holistic. Rather than coming in and looking at a particular piece of malware, of malicious software, we look at the full scope of attacks. We try to gather all the indicators possible.

And then, as to how we would trace that back to China, we take this issue of attribution very seriously. We don’t — we wouldn’t just casually toss out a country or particular threat actor. We have got some proprietary methods. But I would probably — there’s a corollary to the physical world, to a real-life burglary.

A detective will look for the M.O. of a particular thief. And they will look at the tools they use, the techniques they use, the time of day they break in, and what approach they take to casing out a particular site.

And we do much the same thing in the cyber-world. We look at hundreds, if not thousands, of indicators. We group those into particular groups of threat actors. And when we see those tools and techniques used again, we can usually pinpoint it with pretty good accuracy.

RAY SUAREZ: Just in the last several hours, it’s become known that CNN International, the external service of the CNN television network, and The Wall Street Journal were also victims of similar attacks.

And the United States government is now putting cyber-vulnerability on its intelligence estimates.


RAY SUAREZ: Apparently, this is a big problem.

GRADY SUMMERS: It is a big problem.

And it’s amazing how broad a problem it’s become. When we started doing these investigations years ago, it was primarily aerospace and defense sector. You could almost count on those sectors being targeted. Today, it would almost be easier to tell you which sectors aren’t being targeted.

We see anything from energy in oil and gas, to clean technology, biofuels, law firms, and, of course, as we heard today, even media and entertainment, so very broad-based attacks.

RAY SUAREZ: Nicole Perlroth, The New York Times doesn’t have the choice of leaving the biggest country on Earth and the second biggest economy on Earth, does it?

But this is a retaliatory attack, and even at a time when your paper is expanding into China with a Chinese-language online edition.

NICOLE PERLROTH: That’s right.

Well, the Chinese-language edition was blocked the day that that story on Wen Jiabao’s relatives went live. And it continues to be blocked in China. And now we have seen that we have been hacked as well. We would like to relaunch that site in China, but it’s a process.

RAY SUAREZ: So, for now, just full steam ahead in journalism as usual, despite this kind of pushback from such a big market?

NICOLE PERLROTH: That’s right.

I don’t think that this will deter us from doing the journalism we have always done. And I will say, I really credit The Times for letting this story be told. As Grady can probably tell you, there were hundreds of other organizations targeted by the same group that hit The New York Times. You just haven’t heard about any of them.

So, this is the first time that we have been able to provide sort of a rare glimpse into what one of these attacks looks like.

RAY SUAREZ: Nicole Perlroth, Grady Summers, thank you both.