Thursday, January 31, 2013

NY Times hacked by China in ongoing cyberwar

Hackers from China have "persistently" attacked the New York Times for the four months following the publication of a report delving into the fortunes of Chinese Premier Wen Jiabao's family.

"Military links"

The hackers are said to have used methods "associated with the Chinese military" to target the emails of the report's writer, the paper said. Security experts hired by The New York Times to detect and block the computer attacks gathered digital evidence that Chinese hackers breached the paper's network. According to the New York Times, they broke into the email accounts of its Shanghai bureau chief, David Barboza, who wrote the reports on Wen's relatives, and Jim Yardley, The New York Times's South Asia bureau chief in India, who previously worked as bureau chief in Beijing.

"They could have wreaked havoc on our systems," said Marc Frons, the New York Times's chief information officer. "But that was not what they were after." What they appeared to be looking for were the names of people who might have provided information to Barboza for his expose on Wen's family fortune.

However, Barboza's research on the stories, as reported previously in The New York Times, was based on public records, including thousands of corporate documents through China's State Administration for Industry and Commerce. Those documents, which are available to lawyers and consulting firms for a nominal fee, were used to trace the business interests of relatives of Wen Jiabao, the NYT says [NYT / BBC / Telegraph / Guardian / Daily Mail / Time].

Concerted campaign

The mounting number of attacks that have been traced back to China suggest that hackers there are behind a far-reaching spying campaign aimed at an expanding set of targets including corporations, government agencies, activist groups and media organizations inside the United States.

The intelligence-gathering campaign, foreign policy experts and computer security researchers say the attacks are as much about trying to control China's public image, domestically and abroad, as it is about stealing trade secrets.

IP threat

As well as attempting to obtain state secrets and track down dissidents or those providing information to media organisation, hackers are particularly interested in stealing information related to the intellectual property of large corporations [BBC]. Such information could give Chinese companies an advantage, both in the manufacture of products or in terms of marketing strategies.

In December last year Bloomberg reported that Chinese hackers had likely infiltrated confidential systems within Coca-Cola. According to the report hackers were able to spend a month operating undetected, logging commercially sensitive information.

The report suggested the attackers were stealing sensitive files related to Coca-Cola's attempted $2.4 billion acquisition of China Huiyuan Juice Group. The Huiyuan deal, which collapsed in 2009, would have been the largest foreign takeover of a Chinese firm at the time.

The attack was apparently uncovered by the FBI whose officials quietly approached executives at Coca-Cola in March 2009, shortly before the takeover deal collapsed [BBC].

Silent response

Coca-Cola, the world's largest soft-drink maker, has never publicly disclosed the loss of the Huiyuan information. Their silence is likely due to the fear that any acknowledgement of a cyberattack could scare off investors.

"Investors have no idea what is happening today," says Jacob Olcott, a former cyberpolicy adviser to the US Congress. "Companies provide little information about material events that occur on their networks."

But while it is perhaps understandable that firms are not disclosing that they have been attacked, for fear that stocks could be affected, by not being transparent could also have a negative effect of a company's reputation or stock, especially if such events become public.

The US Securities and Exchange Commission says companies are required to report any material losses from such attacks, and any information "a reasonable investor would consider important to an investment decision". But Olcott says few companies have publicly disclosed the theft of sensitive deal-related information from a computer intrusion.

Reported attacks

The Coca-Cola breach is just one in a global barrage of corporate computer attacks kept secret from shareholders, regulators, employees and in some cases even from senior executives.

In 2011 hackers are said to have launched a large-scale attack on BG Group, stealing significant amounts of sensitive data. However, the British energy firm never made it public. Steelmaker ArcelorMittal also kept silent when intruders targeted, among others, its executive overseeing China.

There have been some exceptions. Google claimed it had been subjected to a series of cyberattacks which likely originated in China and targeted the company's "corporate infrastructure". In a blogpost the company said that the attacks would mean Google would have to review its policy in terms of doing business in China, a decision that ultimately resulted in it closing down its China based search engine [Reuters / WSJ / Operation Aurora].


Coca Cola have not revealed what if any data had been taken in the hacking attack, investors may well be concerned as to how the attacks might affect the company's future. It is extremely unlikely that Coca Cola's well guarded secret formula was stolen, but such a thought must have crossed the minds of many stockholders when news of the attack was made public in late 2012.


The Chinese Foreign Ministry continually deny any involvement with such cyberattacks. Concerning the recent NYT hacking allegation, spokesman Hong Lei dismissed the accusations as "groundless".

"To arbitrarily assert and to conclude without hard evidence that China participated in such hacking attacks is totally irresponsible," he said  at a press briefing. "China is also a victim of hacking attacks. Chinese laws clearly forbid hacking attacks, and we hope relevant parties takes a responsible attitude on this issue."

But the pattern of attacks, the timing and the victims only seems to reinforce the evidence. Indeed the attack on Coca-Cola could even be seen as a deliberate sting operation, softening the enemy and leaving it open to attack.

Setting the stage

In 2008, shareholders of Huiyuan, the biggest fruit and vegetable juice company in China, hired Goldman Sachs to find a buyer for the company. After months of due diligence, Coca-Cola made the highest offer at $2.4 billion. The deal was announced on 3rd September 2008, pending approval from China's Ministry of Commerce.

Two weeks later, Paul Etchells, then the deputy president of Coca-Cola's Pacific group, met officials from the US Embassy in Beijing and expressed confidence that the deal would clear China's internal antitrust review, according to a US State Department cable published by Wikileaks.

Amid this review, the company learned that its computer systems had been breached and sensitive deal information taken from the computer account of Etchells on March 3, 2009, according to the internal report on the attack. That investigation traced the breach back to an email that appeared in Etchells' in-box on 16th February 2009. The body of the email had contained a link to a file that purported to contain a message from the chief executive. By clicking on the link malware was surreptitiously loaded onto Etchells' machine, giving hackers full access to his computer through the Internet.

Etchell was not the only victim. According to the South China Morning Post, Brenda Lee, a Coca-Cola public affairs executive in China, was also sent a disguised malicious email on 13th March 2009. When she opened an attached file, malware was installed giving hackers access to her machine. Five days after the malicious e-mail landed in Lee's inbox and one month after Etchells' machine was compromised, the Chinese Ministry of Commerce rejected Coca-Cola's acquisition, citing antitrust grounds.

It is hard to believe the events surrounding the Huiyuan deal were a pure coincidence. Nonetheless even if the hacking attacks were not planned prior to a takeover deal being suggested, the phishing and other cyberattacks both in the past, and more recently reported, should be an important reminder to any individual or company doing business with the Middle Kingdom.

tvnewswatch, London, UK

No comments: