The New York Times / China Hack: What Really Happened and Who Really Did It?

The New York Times reported that it has been fending off a persistent attack by hackers which coincided with its publication on October 25, 2012 of an article on the wealth of the family of China's prime minister Wen JiaBao. However that appears to be an assumption because according to Jill Abramson, nothing was taken:
“Computer security experts found no evidence that sensitive e-mails or files from the reporting of our articles about the Wen family were accessed, downloaded or copied,” said Jill Abramson, executive editor of The Times.
What did the hackers actually do?
  • They first accessed the network around September 13
  • Installed malware that wasn't detected by Symantec's anti-virus
  • They installed backdoors.
  • Obtained passwords for 53 Times employees who didn't work in the Times' newsroom
  • They "created custom software that allowed them to search for and grab Mr. Barboza’s and Mr. Yardley’s e-mails and documents from a Times e-mail server" but that conflicts with Ms. Abramson's above statement.
So no customer data was stolen, and nothing about the Wen family was accessed, downloaded or copied. That's not really much of a story so far. Better add everyone's favorite bad guy - China.

Why blame China?
“If you look at each attack in isolation, you can’t say, ‘This is the Chinese military,’ ” said Richard Bejtlich, Mandiant’s chief security officer.
But when the techniques and patterns of the hackers are similar, it is a sign that the hackers are the same or affiliated.
“When you see the same group steal data on Chinese dissidents and Tibetan activists, then attack an aerospace company, it starts to push you in the right direction,” he said.
Mandiant has been tracking about 20 groups that are spying on organizations inside the United States and around the globe. Its investigators said that based on the evidence — the malware used, the command and control centers compromised and the hackers’ techniques — The Times was attacked by a group of Chinese hackers that Mandiant refers to internally as “A.P.T. Number 12.”
What's Wrong With This Picture?
This article appears to be nothing more than an acknowledgment by the New York Times that they found hackers in their network (that's not really news); that China was to blame (that's Mandiant's go-to culprit), and that no customer data was lost (i.e., the Times isn't liable for a lawsuit).

I think that Mandiant does good incident response work and I know Richard Bejtlich and some other Mandiant folks to be honest, hard-working professionals however their China-centric view of the hacker world isn't always justified in my opinion. Here are a few of the reasons mentioned in the New York Times article for why Mandiant believes that China was responsible. None of them hold water.

The Beijing Workday Argument. The hackers could have been from anywhere in the world. The timezone that Mandiant imagines as a Beijing workday could easily apply to a workday in Bangkok, Singapore, Taiwan, Tibet, Seoul, and even Tallinn - all of whom have active hacker populations.

The Lanxiang Vocational School Argument. The article mentioned that the hackers were traced back to the "same universities used by the Chinese military to attack U.S. military contractors in the past." If memory serves, one of those was the Lanxiang Vocational School in Jinan, the capital of Shandong province and home to a PLA regional command center. Actually, Jinan is an industrial city of six million people and more than a dozen universities. IP Geolocation to one school means absolutely nothing.

Furthermore, even if the Chinese government was involved in cyber espionage against the New York Times, it wouldn't use its military for that. It would use its Ministry of State Security (China's equivalent of the CIA). And they wouldn't be stupid enough to run the attack from their own offices, which if you're interested in checking IP addresses, is in Beijing - 274 miles from Jinan.

The Hackers' Techniques. The article mentioned the hackers use of a Remote Access Tool (RAT). One such widely used tool is called GhostRAT. The fact that it was used in an attack against the Dalai Lama in 2008 (GhostNet) doesn't mean that all of the later attacks which used this tool originated with the same group. In fact, even the GhostNet researchers refrained from attributing this attack to China's government.

Another tool whose use is often blamed on Chinese hackers is the "xKungFoo script". Like GhostRAT, the xKungFoo script is widely available for anyone to use so even if it was originally created by a Chinese hacker, it doesn't mean that it is used by Chinese hackers in all instances. I personally know Russian, English, and Indian hackers who write and speak Chinese.

The Wen JaiBao Argument. Mandiant believes that the hackers gained access to the New York Times network around September 15, 2012, during the time that the Wen story was being researched. We also know that the hackers gained access to the emails of the Times Shanghai Bureau Chief David Barboza and it's South Asia Bureau Chief in India Jim Yardley. Does this mean that China was responsible? Maybe it does, but the Wen story could have been a coincidence. Check out how many stories Mr. Barboza and Mr. Yardley worked between August and December, 2012 - several dozen between the two of them. And Yardley's name isn't associated with the Wen story at all.

Asian politics and economics are pivotal in some way to every developed and developing nation in the world. And the New York Times has its finger on the pulse of that region. The list of potential culprits who could have breached the Times network for information on Asia is far longer than just China. 


  1. Big fan of the blog and Twitter feed.

    Question: although the above mentioned questions cast doubt on the absoluteness of the assertion that China is behind the attacks, do the questions raised do anything to discredit the argument that China is the culprit?

    It seems to me that the questions raised argue more for the idea that more research/investigation/fact-finding is required to attribute the attack to a certain actor, as opposed to dis-proving the notion that China is in fact responsible.

  2. This comment has been removed by the author.

    1. Thanks very much.

      Actually, making an attempt to disprove that a presumed nation state is the culprit is the accepted way that intelligence analysts test their findings in a rigorous analytic model. Since InfoSec companies' findings have policy consequences, I'd like to see way more rigor applied to their work - not just Mandiant but everyone.

  3. I wholeheartedly agree with the need for analytic rigor. One aspect is standing out: Bejtlich's comment about taken "in isolation" and the certainty that Mandiant possesses intelligence not in OSINT. I'm not arguing to "give them the benefit of the doubt," but we must consider what they know that we don't, and consider how they've put their reputations on the line when we assess the probabilities their assessment "it has to be China" is dead on. Considerations include Mandiant's biases to preserve consistency with past assessments, their apparent interest in the defense sector for customers and past individual staff members' experiences with the defense sector including veterans like Bejtlich. (OB disclosure: I have this last bias too.)

    One might hope the NYT would apply similar rigor before including attribution in their "story." And consider the NYT's biases to blame someone (including and other than Symantec), to emphasize sophistication (we have good security therefore only ninjas could get to us) and to be consistent with the "it has to be China" theme especially in the US. Their business requires readers and the "story" is certainly more compelling by inclusion of the identity of the bad guy.

    But biases don't exclude the possibility that Mandiant has a solid foundation for their assessment and the NYT, as their customer, is relying on Mandiant's expertise when publishing attribution. Bejtlich's individual and Mandiant's corporate reputations are at stake, which must also be considered. Were I in their shoes, I would require compelling evidence and intelligence before putting my reputation on the line as they have.

  4. Dave, I agree. In fact, I think we need to take a close look into sources and methods that the InfoSec companies are relying upon to make these judgments. I think we'll find that with a few exceptions, most of the historical data that these companies use makes assumptions without proving them. Then it becomes a snake eating its own tail.


Post a Comment