The New York Times announced late Wednesday that they have been warding off cyber attacks from Chinese hackers since September. Wired senior reporter Kim Zetter explains who the hackers target, how they do it, and why.
Copyright NPR. View this article on npr.org.
NEAL CONAN, HOST:
According to The New York Times' own investigation, Chinese hackers have been attacking the newspapers' computer system for the last four months. Infiltration happened as The Times broke a story on the vast wealth accumulated by the family of the Chinese prime minister. Officials warned The Times the story would have consequences. But hacking is not anything new in China, and they're definitely not the only country doing it today. We'll look at what China's after, who they're targeting, how they do it and why.
Joining us now is Kim Zetter, senior reporter at Wired, covering cybercrime. And we're speaking with her from member station KQED, in San Francisco. And nice to have you on the program with us.
KIM ZETTER: Thanks. Thank you, Neal.
CONAN: And is this different from other Chinese hacking jobs, at least from what you can tell on the details from that Times story?
ZETTER: No. They tend to follow a certain pattern. The New York Times story didn't indicate exactly how the hackers got in, in its case, although they said that it might have done - been done through a phishing attack. And that's often how a lot of attacks occur. A phishing attack is basically sending an email to employees, to workers and tricking them into either clicking on a malicious link, going to a website that has malware on it that'll download to their system, or clicking on an attachment that installs malware on that computer. And that's basically the initial doorway that they get into. And then they - from there, they route their way through the network to establish a more firm hold and install more tools.
CONAN: From what we could tell, what were they after?
ZETTER: In this case, The Times is telling us that they appeared to be after sources and intelligence about an investigation that The New York Times was conducting into the wealth of relatives of China's prime minister. And so the timing of this was around - the hackers broke in around mid-September, and The New York Times published their investigative story in October. So they said that it seemed to be timed around this event.
CONAN: In fact, once The Times started asking Chinese officials for reaction to their story in advance of publication, they were told it might have - they alerted their company, AT&T, to be on the lookout for suspicious activities.
ZETTER: Yeah. This was interesting, because, you know, had that not occurred, had The New York Times not heard that officials were saying there would be consequences, they wouldn't have been any reason to ask AT&T to keep a lookout. And so, you know, the hack might never have been exposed. It raises questions about, you know, who else might be in The New York Times' system, you know, either before this or currently. So, you know, it's quite surprising that that was, you know, what prompted this to be discovered.
CONAN: And as they went about, according to The Times story, they got into the accounts of something like 53 Times employees, including a lot of reporters.
ZETTER: Yes. They got to a system that was storing usernames and hashed passwords. A hashed password is essentially kind of an encrypted password that would need to be cracked. And in this case, they did. And these were passwords for the network access for employees. So it doesn't sound these were directly to their email accounts, but the computers themselves. And then they were able to crack, probably, about 53 of those.
CONAN: And not only that, but The Times tells us that sources, methods, the names of people who provided the information, that sort of thing, reporters' files were not compromised. Can we know that for sure?
ZETTER: No, I don't think that we can, and I'm not sure that The New York Times can know that, as well. It's - you know, I guess I want to say, first of all, that it's really surprising that The New York Times went public with this story, because it raises a lot of questions for sources who will work with The New York Times, you know, the security of their information. And, you know, like I said, it's unclear - The New York Times caught this intrusion, but it's unclear if there were previous intrusions that they're not telling us about.
CONAN: So if the Chinese were out to intimidate people who might provide information to The New York Times, it might have worked.
ZETTER: Yes. But, you know, there's another concern that's probably even more, you know, direct for sources here in the U.S., and that is: What can the U.S. government get about your communications with the Times? Plus, of course, there are a number of investigations going on now into who has provided the New York Times with classified information. So, you know, you have worries on both sides. You know, are the Chinese hacking and getting into source information, or is the U.S. government also obtaining information?
CONAN: We'll get back to the U.S. and other governments and their cyber-hacking in just a moment. But to the Chinese, for the moment, the Times tried to - through AT&T's help - expel these hackers. It failed, and then brought in another consulting company to do the trick.
ZETTER: Yes. This was a company called Mandiant, and it's interesting because Mandiant has done numerous investigations. And they indicated this was part of a pattern that was focused against Western media, going back at least to 2008. They indicated that they had found evidence of attacks on about 30 Western journalists. So this is a pattern and, you know, there's no reason to believe that other media outlets aren't targets, as well.
CONAN: That's one aspect of Chinese hacking. We are told that they also tried to obtain corporate secrets, designs, that sort of thing.
ZETTER: Yes. So there are multiple aims. You know, in 2010, Google was hacked, and there were - that was sort of a dual aim there. The intruders were going after the email accounts of political activists, Tibetan activists. But they were also going after the source code for Google. So there's sort of an economic gain there, possibly a political gain in terms of going after the source code, as well, because if you can get the source code, you can find vulnerabilities in the system, and therefore gain access to Gmail accounts and other consumer products that Google offers.
So they've also gone after defense contractors. So there - in that case, the motivation, of course, is military secrets and as well espionage, economic, you know, gains. And they've also targeted law firms, particularly law firms that are engaged in litigation in China or engaged in mergers and acquisitions so that they can obtain market information.
CONAN: So there is an economic goal, here. There is a military goal. There is also what seems to be - there's a security goal and an image goal, public relations, if you will.
ZETTER: Yes. Like I said, it's multiple. They're going after - you know, it seems like this is an industry. And, you know, I'm hesitant to point a finger at China, because it's very easy to point the finger at China. And it's also very easy to make an attack appear to come from China when it's not coming from China. So, you know, and speaking in broad terms, you know, what we know of the attack, that they are coming from China, it appears that it is, you know, a very big industry there.
CONAN: And we should note that Chinese deny it. I'm not sure that anybody holds any great belief in that.
ZETTER: Yeah. But I - you know, I think that it's also important to say - and as you mentioned in the introduction - that there are a lot of other people, a lot of other nations engaging in hacking, as well. So, you know, pointing the finger at China is easy to do, but many other nations are engaged in this kind of attack - hacking, as well.
CONAN: As the Times' own story reported, the United States is involved in, well, cyber-warfare with Iran.
ZETTER: Yeah. And in that case, you know, I want to make a distinction between espionage and cyber-warfare. I mean, espionage is getting into a system and obtaining secrets at sort of the level of what we've always known espionage to be, spying, and we sort of live with that. In the case of Stuxnet, here, you know, this gets into a whole new realm where you're actually getting into a system in order to cause some kind of destruction. And that really is sort of stepping over a line that we haven't seen before.
CONAN: To cause the centrifuges that are enriching Iran's uranium to spin out of control and destroy themselves.
ZETTER: Yeah, either destroy themselves or to sort of malfunction over a period of time so that the enriched uranium never reaches the level that it need to reach.
CONAN: There is also considerable evidence that Iran has responded in kind.
ZETTER: Well, yeah. I mean, we've heard - we've seen some finger-pointing from the U.S. government about that. That's - there have been two cases of that, one involved in Saudi Arabia that hit the Saudi Aramco there, where 30,000 systems that were running the oil company there - information on 30,000 systems got erased. And so there was finger-pointing there that seemed to indicate that people wanted to blame Iran for that. In another case, we've had a number of denial-of-service attacks against banks in the U.S., denial-of-service attacks go after the website of a business. And again, there, the finger-pointing has been against Iran. But that's very easy and convenient to do, to point the finger at Iran right now to sort of take the blame against other activities that the U.S. might be engaged in. So it's really hard to know who's behind any of these attacks.
CONAN: And that's the question. We should mention, of course, the cyber-warfare against Iran, Israel said to be involved in that, as well. It's hard to know who is behind these attacks. These attacks, the hacks on the New York Times were traced back, and various companies said, boy, they seem to be exactly similar to the kinds of attacks previously associated with the Chinese military, but you can't be exactly sure.
ZETTER: Yeah. But when you're doing forensic investigations like this, you're looking for fingerprints that sort of mark a sort of a modus operandi of groups that you can see over and over again. And in the New York Times report, they pointed out that Mandiant had attributed this to a group that they're calling APT12, and that indicates that they've seen the activity before. There are certain methods or tools that they used in multiple attacks. And so that allows forensic investigators to create a sort of family of attacks and attribute them to single actors.
And in some cases, you know, when actors are - when they're active over a long period of time and engaged in a number of attacks, they will eventually make mistakes. And so it can be possible sometimes to attribute attacks to an individual or to an organization. And we have seen things like that that sort of trace some of the attacks back to specific individuals in China or to universities in China.
CONAN: And to individuals and universities. Is it possible to say this is a government policy, then?
ZETTER: Well, see, there's the plausible deniability. I mean, you can have groups of hackers who engage in this activity because they're loyal to government, but not necessarily hired or ordered by the government. But, of course, if they get information that's helpful, they can hand it over to the government and get paid for it. So it's often hard to know where it's a directed attack - a nation-state directed attack, or whether it's sort of freelancers operating under the assumption that they will be rewarded with for what they do.
CONAN: There's also the possibility - we mentioned this family of the Chinese premier, vastly wealthy. Could they have hired someone to do this on their behalf?
ZETTER: Exactly. This might not have been a nation-state directed at all. This might have simply been the family saying, you know, this is not acceptable, and we're going to go after The Times and we're going to use any methods we want. And then they hire their own freelance hackers themselves.
CONAN: We also heard that Russia used denial-of-service attacks during its conflict Georgia some years ago. Is this going to be expected anytime there's a significant conflict, it will be preceded or accompanied by cyber-warfare and hacks?
ZETTER: Yeah. I mean, I think that that's the world we're living now. The door has been opened. Everyone knows that this is - I wouldn't say acceptable, but it's now established that this is doable and there's very little you can do in response to it. You know, in - with the case of Google, when Google was hacked, the U.S. came out with a very forceful statement. Hillary Clinton came out with a very forceful statement at the time - which is kind of unprecedented on the part of the government - that they were not happy with China. But beyond that, you know, there's not a whole lot that you can do. We still have problems of diplomatic relations, economic partnerships, things like that. So everyone has to tread very carefully in terms of what the response would be.
CONAN: Kim Zetter, thanks very much for your time.
ZETTER: Thank you.
CONAN: Kim Zetter, senior reporter at Wired, joined us today from member station in San Francisco KQED. You're listening to TALK OF THE NATION, from NPR News. Transcript provided by NPR, Copyright NPR.