Chinese Hackers’ Attack on the New York Times Worked to Perfection

Innovation, the Internet, gadgets, and more.
Jan. 31 2013 6:12 PM

Hacking the Old Gray Lady

The Chinese attack against the New York Times worked to perfection.

The New York Times building
The New York Times building

Photo by Mario Tama/Getty Images

Journalists are on notice. If you investigate the Chinese government, Chinese hackers will come after you. That’s what you should conclude from the New York Times’ disclosure that it was hacked for four months by attackers it suspects were associated with the Chinese military. The likely motive, the Times says, was retaliation against the paper for its investigation into the wealth amassed by the family of Wen Jiabao, China’s prime minister. But this wasn’t the first time Chinese hackers attacked journalists. They infiltrated Bloomberg News last year, the Times reports. They’ve also gone after the Associated Press, the Wall Street Journal, and other Western news organizations.

Reporters who cover China might wish to take some comfort in the fact that the Times was on to the hackers. The paper had expected a response to its investigation, and AT&T, which had been monitoring the paper’s network, alerted the Times of a potential hack on the day that it published the Wen investigation. The paper suspects that hackers were looking for information about its sources, but computer security experts it consulted “found no evidence that sensitive e-mails or files from the reporting of our articles about the Wen family were accessed, downloaded, or copied,” executive editor Jill Abramson said.

To me, though, these seem like small assurances. Knowing the hackers were coming didn’t really help the Times—attackers still managed to obtain the corporate passwords of every one of its employees and broke into the PCs of 53 of them. They also infiltrated the email accounts of a couple of reporters who cover China, including David Barboza, who conducted the investigation into Wen’s family. What’s more, security experts say the Times can’t really be sure that the hackers are gone from its network, nor that they didn’t find anything of value. The most important outcome here might be the chilling effect: Now that a Chinese attack on the New York Times is international news, any dissident or potential whistle-blower in China will be wary of talking to journalists at the paper—or, for that matter, all journalists.

Advertisement

In other words, the hack worked. Indeed, the attack on the New York Times points out why cyberattacks are such a spectacularly diabolical and effective weapon, especially when they’re aimed at journalists. Until now, when a government or criminal enterprise didn’t like something a reporter wrote, it had two options—it could shut down the outlet or kill the journalist. Hacking presents a third option, one that’s far more nuanced and effective.

First, it’s anonymous—as a technical matter, it’s almost impossible to know for sure who hacked the New York Times, and China can maintain plausible deniability. Hacking is secret and very rarely messy. The hacker can get what he wants—a reporter’s sources, information about how a news outlet works and whom to cozy up to, perhaps personal information that could be helpful for blackmail—without anyone ever finding out. Hacking crosses borders. In the past, a foreign paper like the New York Times would have been relatively more protected from Chinese governmental repercussions than a local paper. Not anymore. Now hackers can get you anywhere, and they can make life hell for everyone you work with.

Finally and most importantly, hacking is almost impossible to defend against. Journalists have to use computers and the Internet constantly to do their jobs. If you do that, you’re opening yourself up to attack. Sure, you can and should take precautions against hacking. The Times attack seems to have begun with a simple email-based phishing scam; if someone at the Times hadn’t clicked on a bad link, the attackers would never have gotten in. But Chinese hackers have used similar tactics to hit Google and the White House, too. In a large organization, someone is going to slip up, and it only takes one. This suggests that if they’re determined—which they are—hackers could get to pretty much any journalist they wish.

But it’s not just Chinese hackers that journalists have to worry about. The tools of hacking are decentralized and distributed, available to anyone who’s ever been the subject of a negative article. The Times has hinted that it was attacked by supporters of WikiLeaks in 2011, and in 1998, when it reported on hacker Kevin Mitnick, a group called H4acking for Girl13z defaced the paper’s website. In 2010, Gawker—which writes often and unsparingly about powerful online collectives at 4Chan, Anonymous, and Reddit—got epically hacked by those same groups. The hackers got 1.3 million usernames, email addresses, and password hashes belonging to Gawker readers. The hackers even logged on to Gawker’s private online chat room and spied on its editorial operations.

Journalists should take two lessons from such incidents. The first is obvious. Don’t be a security slacker. Don’t click on fishy links, use two-step verification for your important accounts, choose strong passwords that you don’t repeat at various sites, don’t stick mysterious USB drives into your machine, etc. All those steps are important, and they’re things that a lot of people—yes, journalists are people too—don’t take seriously enough.

But the second lesson is more important: Realize that you and your devices are vulnerable, and conduct your work with that in mind. Let your sources know it, too. This means storing your most delicate information on computers that aren’t connected to the Internet. It means taking important notes on paper, not your phone. But mostly it means this: If you’re working on anything controversial, know that you, your colleagues, and your sources can be surveilled. If that deters you from doing your job—well, that’s the whole point of hacking. That’s why we should all be very worried.

TODAY IN SLATE

Doublex

Crying Rape

False rape accusations exist, and they are a serious problem.

Scotland Is Just the Beginning. Expect More Political Earthquakes in Europe.

I Bought the Huge iPhone. I’m Already Thinking of Returning It.

The Music Industry Is Ignoring Some of the Best Black Women Singing R&B

How Will You Carry Around Your Huge New iPhone? Apple Pants!

Medical Examiner

The Most Terrifying Thing About Ebola 

The disease threatens humanity by preying on humanity.

Television

The Other Huxtable Effect

Thirty years ago, The Cosby Show gave us one of TV’s great feminists.

Lifetime Didn’t Find the Steubenville Rape Case Dramatic Enough. So They Added a Little Self-Immolation.

No, New York Times, Shonda Rhimes Is Not an “Angry Black Woman” 

Brow Beat
Sept. 19 2014 1:39 PM Shonda Rhimes Is Not an “Angry Black Woman,” New York Times. Neither Are Her Characters.
Behold
Sept. 19 2014 1:11 PM An Up-Close Look at the U.S.–Mexico Border
  News & Politics
Weigel
Sept. 19 2014 9:15 PM Chris Christie, Better Than Ever
  Business
Moneybox
Sept. 19 2014 6:35 PM Pabst Blue Ribbon is Being Sold to the Russians, Was So Over Anyway
  Life
Inside Higher Ed
Sept. 19 2014 1:34 PM Empty Seats, Fewer Donors? College football isn’t attracting the audience it used to.
  Double X
The XX Factor
Sept. 19 2014 4:58 PM Steubenville Gets the Lifetime Treatment (And a Cheerleader Erupts Into Flames)
  Slate Plus
Slate Picks
Sept. 19 2014 12:00 PM What Happened at Slate This Week? The Slatest editor tells us to read well-informed skepticism, media criticism, and more.
  Arts
Brow Beat
Sept. 19 2014 4:48 PM You Should Be Listening to Sbtrkt
  Technology
Future Tense
Sept. 19 2014 6:31 PM The One Big Problem With the Enormous New iPhone
  Health & Science
Medical Examiner
Sept. 19 2014 5:09 PM Did America Get Fat by Drinking Diet Soda?   A high-profile study points the finger at artificial sweeteners.
  Sports
Sports Nut
Sept. 18 2014 11:42 AM Grandmaster Clash One of the most amazing feats in chess history just happened, and no one noticed.