Chinese Hackers’ Attack on the New York Times Worked to Perfection

Innovation, the Internet, gadgets, and more.
Jan. 31 2013 6:12 PM

Hacking the Old Gray Lady

The Chinese attack against the New York Times worked to perfection.

The New York Times building
The New York Times building

Photo by Mario Tama/Getty Images

Journalists are on notice. If you investigate the Chinese government, Chinese hackers will come after you. That’s what you should conclude from the New York Times’ disclosure that it was hacked for four months by attackers it suspects were associated with the Chinese military. The likely motive, the Times says, was retaliation against the paper for its investigation into the wealth amassed by the family of Wen Jiabao, China’s prime minister. But this wasn’t the first time Chinese hackers attacked journalists. They infiltrated Bloomberg News last year, the Times reports. They’ve also gone after the Associated Press, the Wall Street Journal, and other Western news organizations.

Reporters who cover China might wish to take some comfort in the fact that the Times was on to the hackers. The paper had expected a response to its investigation, and AT&T, which had been monitoring the paper’s network, alerted the Times of a potential hack on the day that it published the Wen investigation. The paper suspects that hackers were looking for information about its sources, but computer security experts it consulted “found no evidence that sensitive e-mails or files from the reporting of our articles about the Wen family were accessed, downloaded, or copied,” executive editor Jill Abramson said.

To me, though, these seem like small assurances. Knowing the hackers were coming didn’t really help the Times—attackers still managed to obtain the corporate passwords of every one of its employees and broke into the PCs of 53 of them. They also infiltrated the email accounts of a couple of reporters who cover China, including David Barboza, who conducted the investigation into Wen’s family. What’s more, security experts say the Times can’t really be sure that the hackers are gone from its network, nor that they didn’t find anything of value. The most important outcome here might be the chilling effect: Now that a Chinese attack on the New York Times is international news, any dissident or potential whistle-blower in China will be wary of talking to journalists at the paper—or, for that matter, all journalists.

Advertisement

In other words, the hack worked. Indeed, the attack on the New York Times points out why cyberattacks are such a spectacularly diabolical and effective weapon, especially when they’re aimed at journalists. Until now, when a government or criminal enterprise didn’t like something a reporter wrote, it had two options—it could shut down the outlet or kill the journalist. Hacking presents a third option, one that’s far more nuanced and effective.

First, it’s anonymous—as a technical matter, it’s almost impossible to know for sure who hacked the New York Times, and China can maintain plausible deniability. Hacking is secret and very rarely messy. The hacker can get what he wants—a reporter’s sources, information about how a news outlet works and whom to cozy up to, perhaps personal information that could be helpful for blackmail—without anyone ever finding out. Hacking crosses borders. In the past, a foreign paper like the New York Times would have been relatively more protected from Chinese governmental repercussions than a local paper. Not anymore. Now hackers can get you anywhere, and they can make life hell for everyone you work with.

Finally and most importantly, hacking is almost impossible to defend against. Journalists have to use computers and the Internet constantly to do their jobs. If you do that, you’re opening yourself up to attack. Sure, you can and should take precautions against hacking. The Times attack seems to have begun with a simple email-based phishing scam; if someone at the Times hadn’t clicked on a bad link, the attackers would never have gotten in. But Chinese hackers have used similar tactics to hit Google and the White House, too. In a large organization, someone is going to slip up, and it only takes one. This suggests that if they’re determined—which they are—hackers could get to pretty much any journalist they wish.

But it’s not just Chinese hackers that journalists have to worry about. The tools of hacking are decentralized and distributed, available to anyone who’s ever been the subject of a negative article. The Times has hinted that it was attacked by supporters of WikiLeaks in 2011, and in 1998, when it reported on hacker Kevin Mitnick, a group called H4acking for Girl13z defaced the paper’s website. In 2010, Gawker—which writes often and unsparingly about powerful online collectives at 4Chan, Anonymous, and Reddit—got epically hacked by those same groups. The hackers got 1.3 million usernames, email addresses, and password hashes belonging to Gawker readers. The hackers even logged on to Gawker’s private online chat room and spied on its editorial operations.

Journalists should take two lessons from such incidents. The first is obvious. Don’t be a security slacker. Don’t click on fishy links, use two-step verification for your important accounts, choose strong passwords that you don’t repeat at various sites, don’t stick mysterious USB drives into your machine, etc. All those steps are important, and they’re things that a lot of people—yes, journalists are people too—don’t take seriously enough.

But the second lesson is more important: Realize that you and your devices are vulnerable, and conduct your work with that in mind. Let your sources know it, too. This means storing your most delicate information on computers that aren’t connected to the Internet. It means taking important notes on paper, not your phone. But mostly it means this: If you’re working on anything controversial, know that you, your colleagues, and your sources can be surveilled. If that deters you from doing your job—well, that’s the whole point of hacking. That’s why we should all be very worried.

Farhad Manjoo is a technology columnist for the New York Times and the author of True Enough.

TODAY IN SLATE

Politics

Smash and Grab

Will competitive Senate contests in Kansas and South Dakota lead to more late-breaking races in future elections?

Even When They Go to College, the Poor Sometimes Stay Poor

Here’s Just How Far a Southern Woman May Have to Drive to Get an Abortion

The Most Ingenious Teaching Device Ever Invented

Marvel’s Civil War Is a Far-Right Paranoid Fantasy

It’s also a mess. Can the movies do better?

Behold

Sprawl, Decadence, and Environmental Ruin in Nevada

Space: The Next Generation

An All-Female Mission to Mars

As a NASA guinea pig, I verified that women would be cheaper to launch than men.

Watching Netflix in Bed. Hanging Bananas. Is There Anything These Hooks Can’t Solve?

The Procedural Rule That Could Prevent Gay Marriage From Reaching SCOTUS Again

  News & Politics
Politics
Oct. 20 2014 3:53 PM Smash and Grab Will competitive Senate contests in Kansas and South Dakota lead to more late-breaking races in future elections?
  Business
Moneybox
Oct. 20 2014 5:39 PM Whole Foods Desperately Wants Customers to Feel Warm and Fuzzy Again
  Life
Outward
Oct. 20 2014 3:16 PM The Catholic Church Is Changing, and Celibate Gays Are Leading the Way
  Double X
The XX Factor
Oct. 20 2014 6:17 PM I Am 25. I Don't Work at Facebook. My Doctors Want Me to Freeze My Eggs.
  Slate Plus
Tv Club
Oct. 20 2014 7:15 AM The Slate Doctor Who Podcast: Episode 9 A spoiler-filled discussion of "Flatline."
  Arts
Brow Beat
Oct. 20 2014 5:03 PM Marcel the Shell Is Back and as Endearing as Ever
  Technology
Future Tense
Oct. 20 2014 4:59 PM Canadian Town Cancels Outdoor Halloween Because Polar Bears
  Health & Science
Medical Examiner
Oct. 20 2014 11:46 AM Is Anybody Watching My Do-Gooding? The difference between being a hero and being an altruist.
  Sports
Sports Nut
Oct. 20 2014 5:09 PM Keepaway, on Three. Ready—Break! On his record-breaking touchdown pass, Peyton Manning couldn’t even leave the celebration to chance.