N.Y. Times hacked: How large is China's campaign to control, intimidate?

The list of media outlets infiltrated by Chinese cyberspies doesn't end with The New York Times or Wall St. Journal, cybersecurity experts say. Anyone reporting on China is a potential target.

February 1, 2013

Cyberspies who breached computer networks of The New York Times and Wall Street Journal are part of a far larger global campaign of intrusions targeting news organizations worldwide that report on China, according to cybersecurity experts and China policy analysts.

Early Thursday, the Times reported that cyberintruders last fall infiltrated its networks via Internet domains and addresses based in China, attempting to remove notes files and other information related to its reporting on the fortunes amassed by relatives of China's premier, Xi Jinping. Later in the day, the Journal reported that its networks, too, had been hacked by intruders from China.

Yet to be confirmed are reports Friday by a well-regarded cybersecurity researcher that the Washington Post also was infiltrated by Chinese cyberspies for an extended time last year. Brian Krebs, the researcher, reported the infiltration, quoting a former Post technology expert on his blog. "We have nothing to share at this time,” a Post spokesman told Mr. Krebs.

China’s apparent motives in infiltrating major news organizations, experts say, are to anticipate and respond to negative coverage of the country, and, perhaps no less importantly, to deter Chinese citizens from speaking openly with Western news organizations.

While news organizations have long known their China-based correspondents are spied upon at times, outlines of a far-larger global campaign targeting news organizations that report on China are now emerging, cybersecurity experts told the Monitor. It is part of a massive effort identified since about 2007 that these experts call the "advanced persistent threat."

That label once referred to unknown cyberhackers invading a corporate network, creating digital backdoors, and spending months or years sending intellectual property data – like oil bid data and pharmaceutical formulas – back through the Internet to points unknown. But now the "A.P.T." is seen in the cybersecurity industry as a mere shorthand for "getting hacked by the Chinese."

"We have data that to me makes it definitely clear that there's a pattern here – hacks on industry, activists, government – and journalists around the world," says Joe Stewart, a cybersecurity expert with Dell Secureworks who has tracked cyberespionage attacks, including a number against news organizations, back to Internet addresses in China.

In late 2011 and early 2012, he says, cyberintruders whose digital signatures he tracked back to China invaded newspapers in Vietnam and Japan. In those cases, he said, he attempted to contact the news organizations to let them know – successfully in the case of the Japanese newspaper.

Can Syria heal? For many, Step 1 is learning the difficult truth.

In August 2011, the Associated Press was reported to be among 72 companies and government agencies targeted in a broad-based global cyberespionage campaign identified by McAfee, the cybersecurity company. McAfee, which dubbed the China-based campaign "ShadyRAT," did not identify the AP by name in its report.

AP spokesman Jack Stokes said the company was aware of the reports.

"We do not comment on network security," he told the Washington Post at the time.

Ronald Deibert, director of the Citizen Lab at the Munk Centre for International Studies at the University of Toronto, says current revelations about media organizations targeted by the Chinese fit into a much larger picture that his group just scratched the surface of in 2009, when they looked into an espionage campaign dubbed “GhOstNet.”

Dr. Deibert, who coauthored a report on GhOstNet, says Canadian researchers investigating Chinese espionage against the Dali Lama and the Tibetan community found that computer systems in AP offices in Hong Kong and London were compromised.

The "common thread" in the GhOstNet campaign was that all of the targets involved Chinese concerns – including the attack on the AP, Deibert says. The AP servers in Hong Kong and London were compromised, he believes, "so the attackers would have had access to stories and contacts in the stories before the stories were released."

In its story of the Chinese infiltration of its own systems, the Times reported that Bloomberg News, too, had been attacked last year following its investigation of Premier Xi’s family. But all those instances are pieces that fit into a far larger puzzle, many say.

"What is significant about the New York Times breach is not that the Chinese have breached a big media organization," Deibert says. "If someone had come to me back then and said: 'Have the Chinese breached more media organizations than just the AP?' I would answered: 'Of course!’

“You'd have to be stupid not to think that, based on the scope of the victims – government, Fortune 500, telecommunications, military contractor – compromised over the last three years by networks within China. So, The New York Times? I'd bet money on it."

In a December intelligence report for its clients, Mandiant, the company brought in by the Times to investigate, found evidence that Chinese hackers "had stolen e-mails, contacts, and files from more than 30 journalists and executives at Western news organizations, and had maintained a ‘short list’ of journalists whose accounts they repeatedly attack," the Times reported.

But why hack into Western news media outlets or mount such an extensive campaign at all? China media experts say it's all about controlling or influencing news coverage, if possible.

Since the Internet now makes it possible for Chinese citizens to get at least some news electronically – leaking through digital barriers – Chinese authorities are finding it necessary to try to find out in advance, if possible, what news organizations will report. The aim is to try to short-circuit embarrassing stories or stop them altogether if possible, these Chinese media experts say.

"While just one case in a sweeping cyberespionage campaign that appears endemic, the attack on the Times does highlight both the willingness of Beijing to lean out and shape the narrative about China as well as the vulnerability the top leadership feels about how they are portrayed," Adam Segal, a senior fellow for China Studies at the Council on Foreign Relations, wrote on the Foreign Policy magazine website. "Beijing is pushing its Internet power outside of China into the rest of the world."

What the Times and other hacks demonstrate, Dr. Segal argues, is the desire to shape international political narratives "as well as gather information from those who might influence the debates on topics of importance to Beijing."

Xiao Qiang, a Chinese dissident now living in the United States, agrees.

"Controlling the information – and the image of what the external foreign media report about China – are both important to the Chinese authorities, and the two areas are increasingly linked," says Mr. Qiang, now director of the China Internet Project and an adjunct professor at the Graduate School of Journalism at the University of California, Berkeley.

Because what is reported outside China gets translated and flows back to China electronically, it is seen as vital to control how China is reported on in the foreign media because it is directly linked to what Chinese people know about their internal affairs, Mr. Quiang says. It's also about intimidating not just journalists but those who would speak to them.

"If those sources know they aren't safe – because China is inside the news organization computers – they are unlikely to be cooperative with foreign media," Qiang says. "If they can, they will try to stop the story altogether. If being inside a computer system puts them a step ahead because they know who the reporters are speaking to, they will cut off the sources back in China. That's what they're really trying to achieve."

Liz Carter, a translator and China consultant who follows about 500 to 600 people who broadcast their views on Twitter, agrees. Among the Twitter users she follows in China, many utilize encryption technologies to evade authorities. She says Chinese censors have increased the speed with which they shut off stories critical of the government that spread in tweets to the broader public. Invading Western news organizations networks are all part of trying to control the flow.

"Censorship is often incomplete and the government realizes it can't enforce a total information blackout," she says. "So a lot of what's going on [with infiltrating news organizations] is an effort at damage control, trying to get out a head of the news – find out what's going to be reported – in order to tamp it down, minimize it."

Eddie Schwartz, chief Information Security Officer at RSA, the Security Division of EMC, says US news media are just part of a big cybertarget for Beijing.

"We've been talking about US organizations, but this kind of attack applies to news organizations around world," he says. "I'm not surprised by any of the revelations. Part of what these news organizations are doing is gathering intelligence on important topics. And there are many organizations, criminals, and nation states – including the Chinese – that are going to be interested in that information."

Chinese authorities routinely rebut and deny news reports accusing China of hacking US companies – noting that the government and Chinese companies are also frequent hacking victims. The Times article reported evidence it said showed the hackers were likely linked to the People's Liberation Army – China's military. Could the military have responded to the concerns of a senior Chinese political official worried that a Western news report would embarrass his family and him?

China’s Ministry of National Defense rebutted assertions it was involved in the hack, telling the Times that, “Chinese laws prohibit any action including hacking that damages Internet security.” It added that “to accuse the Chinese military of launching cyberattacks without solid proof is unprofessional and baseless.”

But if it were involved it would not surprise Joe Stewart, who has linked news media attackers to a group he calls the Beijing Group that could be linked to the PLA, though no direct ties have yet been demonstrated. Nor would it surprise L.C. Russell Hsiao, a senior research fellow at the Project 2049 Institute, a nonprofit group that has made a specialty of analyzing China's cyber and signals intelligence units within the People's Liberation Army.

"It's an open question," he says. "But given the sensitivity of political leaders in China and how they have reacted to such reporting in the past – well, you have to understand the Chinese system and its leaders take extreme caution with respect to political reports. So I think it’s not unthinkable to say that they would undertake such measures [using elements of the PLA] to stem the flow of such information."

[Editor's note: The original version of this story incorrectly stated that Joe Stewart had linked the Beijing Group to the PLA.]