2013年1月31日星期四

【中共捍卫“核心利益”】纽约时报遭中国黑客连续数月攻击

 报道 2013年01月31日


旧金山——在过去四个月的时间里,中国黑客一直不断攻击《纽约时报》,侵入公司电脑,盗取记者和其他员工的密码。
经过秘密跟踪侵入者,研究他们的举动,并建立更好的防御系统阻止入侵,《纽约时报》及电脑安全专家已经驱逐了侵入者,并阻止了他们继续入侵。
黑客入侵正好发生在《纽约时报》10月25日发表一篇调查报道的时候。报道发现,中国总理温家宝的亲属通过商业交易积累了价值几十亿美元的财富。
《纽约时报》聘请了安全专家侦测并阻止电脑攻击,他们收集的数字证据说明,中国黑客侵入了《纽约时报》的电脑网络。据此前技术咨询人士的分析,他们使用的技术与中国军方有关。黑客侵入了《纽约时报》上海分社社长张大卫(David Barboza)以及印度的南亚分社社长杨金新(Jim Yardley)的邮箱;前者发表了有关温家宝亲属的那篇文章,后者之前是《纽约时报》北京分社社长。
《纽约时报》执行主编吉尔・阿布拉姆松(Jill Abramson) 说,“计算机安全专家没有发现证据证明,一些与温家宝家族的文章有关的敏感邮件和文件遭人入侵、下载或复制。”
《纽约时报》聘请的Mandiant公司的计算机安全专家表示,黑客试图掩盖针对《纽约时报》的攻击的源头,他们首先入侵美国大学的电脑,然后通过那些电脑实施攻击。Mandiant此前侦测到的多次源自中国的黑客攻击,手法与此相符。
黑客首先安装恶意软件,从而得以侵入《纽约时报》网络的任何一台电脑。计算机安全专家确认,这种恶意软件是一种与来自中国的计算机攻击有关的软件。此外,发动这些攻击的电脑正是此前中国军方曾用来攻击美军承包商的电脑,这也为黑客的来源提供了更多证据。
安全专家找到证据证明,黑客盗取了公司所有员工的密码,并利用密码入侵了53台员工的电脑,涉及的员工多数不在《纽约时报》的编辑部。安全专家没有发现证据说明黑客利用盗取的密码寻找与温家宝家族相关报道无关的信息。
安全专家表示,《纽约时报》的客户数据没有丢失。
当被问及有证据显示黑客来自中国,而且可能与军方有关,中国国防部称,“中国法律禁止包括黑客行为在内的任何破坏网络安全的行为。”国防部补充道,“没有充分证据就指责中国军队进行网络攻击,是不专业的,没有根据的。”
这些攻击似乎是对美国新闻媒体公司展开的广泛的计算机侦查活动的一部分。这些媒体都报道过中国领导人及中国公司的情况。
一位熟知彭博社内部调查的人士说,去年,彭博社于7月29日刊发一篇文章,报道习近平家人聚敛的财富。随后,彭博社被中国黑客瞄准,一些雇员的电脑感染病毒。习近平当时是中国副主席,去年11月,他成为中国共产党总书记,并且将在今年3月就任国家主席。彭博社发言人崔普特(Ty Trippet)证实,黑客曾试图入侵,但是“没有计算机系统或计算机被破坏。”
大举进攻的迹象
越来越多的袭击被追踪出是来自中国,这表明中国黑客是在进行一场广泛的间谍活动,他们的目标正在扩大,包括美国公司、政府部门、活动人士组织以及媒体机构。外交政策专家及计算机安全研究者说,这些情报收集活动不仅是为了盗窃贸易机密,同样也是试图控制中国在国内外的公众形象。
安全专家称,从2008年开始,中国黑客开始瞄准西方记者。他们的目的是要确定西方记者的线人和联系人,并对其进行威吓,同时预判可能有损中国领导人声誉的文章。
Mandiant在12月为客户发布的情报报告中称,经过多次调查他们发现,中国黑客窃取了西方媒体机构30多名记者及高管的邮件、联系人信息及文件,并且持有一份记者的“短名单”,这些人的帐户他们会反复实施攻击。
尽管计算机安全专家称,中国在黑客行动方面是最活跃、最坚持不懈的,但中国却不是唯一使用计算机攻击实现包括商业侦查在内的各种国家目的的国家。美国、以色列、俄罗斯和伊朗等国家都被怀疑开发并部署网络武器。
有证据显示,2012年,美国和以色列发布了一种复杂的计算机病毒,攻击并破坏了伊朗主要的核浓缩工厂。但美以两国从未公开承认。据信,伊朗也采取了报复,对美国的银行和海外石油公司发动了攻击。
在2008年俄罗斯与格鲁吉亚的战争中,俄罗斯也被怀疑使用过计算机攻击。
下文有关《纽约时报》被攻击的情况是根据对《纽约时报》高管、记者及安全专家的采访了解到的,从中或可窥见这种间谍行动之一斑。
中国政府官员曾警告说,《纽约时报》对温家宝家族财富的调查会“有后果”。随后,公司高管即于10月24日请管理《纽约时报》网络的美国电话电报公司(AT&T)注意观察异常现象。
在那篇文章发表到网上的10月25日,美国电话电报公司通知《纽约时报》,发现了一些与由中国军方一贯进行的其他攻击相一致的行为。
《纽约时报》告知了美国联邦调查局(Federal Bureau of Investigation,简称FBI),并主动介绍了这些攻击的情况。随后,在最初并未认识到其电脑遭渗透程度的情况下,《纽约时报》与美国电话电报公司一起追踪攻击者,而当时《纽约时报》还尝试把他们从其系统中清除。
但尽管作出了驱逐这些攻击者的努力,但在11月7日,《纽约时报》确认他们仍在系统里,于是聘请了Mandiant公司,这是一家应对安全漏洞的专业公司。从知悉这些攻击行为时起,《纽约时报》先后与美国电话电报公司和Mandiant合作,监视了攻击者在其系统中的活动。
这些黑客团队一直定时开始上班,多半是在北京时间早上8点开始。通常他们会持续工作一个标准工作日,但有时黑客行动会一直持续到午夜。Mandiant称,这些攻击会时不时地暂停两周时间,不过其原因尚不清楚。
研究人员还不清楚这些黑客最初如何闯入了《纽约时报》的系统。他们怀疑这些黑客使用的是一种称为“鱼叉式钓鱼攻击”(spear-phishing attack)的手法,即向员工发送包含恶意链接或附件的电子邮件。只要一名员工在这种电子邮件中点击一下,黑客们就能装上“远程访问工具”。这种软件可以窃取海量数据,包括密码、键盘按键、屏幕图像和文档,在某些情况下,还可以通过电脑的麦克风和摄像头录音、录像,并把这些信息全部传回攻击者的网络服务器。
《纽约时报》首席安全官迈克尔・希金斯(Michael Higgins)说,“攻击者不再硬闯我们的防火墙,而是转向了个人。他们把一串恶意代码发送到人们的邮箱里,人们打开这些代码时,就把他们放了进来。”
潜伏 
黑客们一旦闯入,就很难把他们驱逐出去。比如,在2011年美国商会(United States Chamber of Commerce)被黑客闯入后,据商会员工称,这家贸易团体与FBI紧密合作并封闭了其系统。但数月之后,商会发现连接到互联网的设备,包括公司公寓中的一个恒温器和办公室内的一台打印机,仍然在与位于中国的电脑进行通讯。
《纽约时报》允许黑客用4个月时间布下一张数字罗网,从而查明黑客所使用的每一道数字后门,部分目的是想防止上述情况发生。《纽约时报》随后替换了每一台被侵入的电脑,并设置了新的防御手段,以期把黑客挡在门外。
负责Mandiant公司调查行动的安全顾问尼克・本内特(Nick Bennett)说,“攻击者们把某家公司当目标是有原因的,即使你把他们踢出去,他们还会努力重新闯入。我们希望,能够完全掌握他们闯入的程度,以便下次他们想要闯入时,我们可以迅速反应。”
据过去数月里进行的取证分析显示,黑客在去年9月13日有关温家的报道临近完成时侵入了《纽约时报》的电脑系统。他们在用户电脑上设置了至少三个后门。随后,他们以这几台电脑为数字基地,从那里出发四处窥探《纽约时报》的电脑系统,时间至少长达两周,直到他们找到了包含每个《纽约时报》员工用户名以及散列密码,也就是加密密码的域控制器。
尽管散列运算让黑客入侵更加困难,但人们依然可以通过使用所谓的“彩虹表”(rainbow table)轻易破解散列密码,彩虹表是一种现成的散列值的数据库,它涵盖了几乎所有一定长度以内的字母数字组合。一些黑客网站公布了多达500亿组的散列值。
调查者发现的证据显示,攻击者破解了密码,利用它们进入了若干台电脑。他们设计了定制软件,让他们从《纽约时报》的邮件服务器上搜索以及盗取张大卫和杨金新的电子邮件和文件。
在长达三个月的时间里,黑客安装了45种定制恶意软件。《纽约时报》使用的是赛门铁克(Symantec)生产的杀毒产品。据Mandiant公司介绍,《纽约时报》只有一次通过赛门铁克杀毒软件把一种黑客安装的软件识别为恶意软件,并隔离了该软件。
赛门铁克的一名发言人说,鉴于公司政策,公司不能对客户做出评论。
在《纽约时报》10月25日刊登关于温氏家族的文章后的一段时间,黑客表现得尤为活跃,特别是在11月6日美国进行总统大选的当晚尤其如此。这引起了《纽约时报》高级编辑的担忧,担心黑客可能会企图关闭报纸的电子或印刷出版系统。报社高层已经得知了黑客的入侵。不过,黑客的行动显示,他们的主要攻击目标依然是张大卫的日常往来邮件。
《纽约时报》首席信息官马克・弗朗斯(Marc Frons)说,“他们本来可以重创我们的电脑系统。不过,那不是他们的目的。”
他们似乎是在寻找那些可能给张大卫提供了信息的人的名字。
正如《纽约时报》之前所报道的,张大卫在这篇报道中的研究是以公开信息为基础的,其中包括从中国工商管理局得到的数千份公司资料。这些资料被用于调查温氏家族的商业利益,律师和咨询公司支付少量费用都可拿到这些资料。
艰难的追踪 
追踪攻击的源头来自哪个团体或国家是相当困难的,因为黑客往往设法隐匿他们的身份和位置。
据Mandiant公司调查员透露,为了运作此次对《纽约时报》的间谍行动,黑客使用了众多受感染的计算机系统,这些系统注册于北卡罗来纳州、亚利桑那州、威斯康星州和新墨西哥州的几所大学,以及遍布全美的小型企业和互联网服务提供商。
黑客还不断更改IP地址。IP地址是一串唯一的数字,用来标识每台连接到互联网的设备,使其与全球数十亿台其他设备相区分,从而确保一台设备发送的消息或其他数据,能正确地传递到打算送达的设备上。IP是“互联网协议”(Internet protocol)的英语缩写。
用大学的电脑充当代理服务器,并经常改变IP地址,目的是为了掩盖攻击行为的真实来源地。调查人员认为,调查来源地就是中国。Mandiant公司的专家侦测到的攻击模式,与此前源头追溯到中国的攻击行为高度吻合。例如,谷歌曾在2010年遭到攻击,攻击者打开了中国人权活动人士的Gmail账户,调查人员发现,攻击来自中国的两所高校,其中一所与中国军方有联系。
安全专家表示,通过绕道其他国家的服务器实施入侵,并将攻击任务外包给熟练的黑客,中国军方可以有似乎很充分的理由否认嫌疑。
Mandiant公司首席安全官理查德・贝特利希(Richard Bejtlich)说,“如果孤立地观察每次攻击,你不能说,就是中国军方干的。”
但如果黑客的手法和攻击模式相似,这种迹象就说明,黑客是同一批人,或相互关联。
他说,“你看到同一个团体窃取中国异见人士和藏族活动人士的数据,之后又攻击一家航天公司,这就能把你引向正确的方向。”
Mandiant一直在追踪对美国境内和全球各地的组织机构实施间谍行为的约20个团体。该公司调查人员称,根据所用的恶意软件、被攻陷的指令控制中心,以及黑客使用的手法等证据判断,《纽约时报》是受到了一组中国黑客的袭击。Mandiant内部将这组黑客称为“12号APT”。
APT是“高度持续威胁”(Advanced Persistent Threat)的英语缩写,电脑安全专家和政府官员用这个术语描述有明确目标的攻击行为。许多人表示,它已经成了中国实施的攻击的代名词。美国电话电报公司和美国联邦调查局也在追踪这个黑客组织,它们也发现这个组织来自中国,但它们在内部对该组织有各自的叫法。
Mandiant称,这个黑客组织一直“十分活跃”,并已经攻入了数百家其他西方国家的机构,包括若干家美国军方的承包商。
为了摆脱这些黑客,《纽约时报》屏蔽了被侵入的外部电脑、清除了网络中的所有后门、更改了所有员工的密码,并在系统外围增加了安全措施。
目前这些措施似乎产生了作用。不过调查人员和《纽约时报》高管表示,他们预计还会有新的黑客入侵企图。
“事情还不算完,”Mandiant公司的贝特利希说。“他们攻击一个受害者攻击顺了手,往往还会回来。这不像是一个数字犯罪案例,入侵者偷了数据,然后就逃之夭夭。需要建立一种内部警戒机制。”
翻译:梁英、许欣、王童鹤、林蒙克、张薇
——纽约时报

Hackers in China Attacked The Times for Last 4 Months

SAN FRANCISCO — For the last four months, Chinese hackers have persistently attacked The New York Times, infiltrating its computer systems and getting passwords for its reporters and other employees.
After surreptitiously tracking the intruders to study their movements and help erect better defenses to block them, The Times and computer security experts have expelled the attackers and kept them from breaking back in.
The timing of the attacks coincided with the reporting for a Times investigation, published online on Oct. 25, that found that the relatives of Wen Jiabao, China’s prime minister, had accumulated a fortune worth several billion dollars through business dealings.
Security experts hired by The Times to detect and block the computer attacks gathered digital evidence that Chinese hackers, using methods that some consultants have associated with the Chinese military in the past, breached The Times’s network. They broke into the e-mail accounts of its Shanghai bureau chief, David Barboza, who wrote the reports on Mr. Wen’s relatives, and Jim Yardley, The Times’s South Asia bureau chief in India, who previously worked as bureau chief in Beijing.
“Computer security experts found no evidence that sensitive e-mails or files from the reporting of our articles about the Wen family were accessed, downloaded or copied,” said Jill Abramson, executive editor of The Times.
The hackers tried to cloak the source of the attacks on The Times by first penetrating computers at United States universities and routing the attacks through them, said computer security experts at Mandiant, the company hired by The Times. This matches the subterfuge used in many other attacks that Mandiant has tracked to China.
The attackers first installed malware — malicious software — that enabled them to gain entry to any computer on The Times’s network. The malware was identified by computer security experts as a specific strain associated with computer attacks originating in China. More evidence of the source, experts said, is that the attacks started from the same university computers used by the Chinese military to attack United States military contractors in the past.
Security experts found evidence that the hackers stole the corporate passwords for every Times employee and used those to gain access to the personal computers of 53 employees, most of them outside The Times’s newsroom. Experts found no evidence that the intruders used the passwords to seek information that was not related to the reporting on the Wen family.
No customer data was stolen from The Times, security experts said.
Asked about evidence that indicated the hacking originated in China, and possibly with the military, China’s Ministry of National Defense said, “Chinese laws prohibit any action including hacking that damages Internet security.” It added that “to accuse the Chinese military of launching cyberattacks without solid proof is unprofessional and baseless.”
The attacks appear to be part of a broader computer espionage campaign against American news media companies that have reported on Chinese leaders and corporations.
Last year, Bloomberg News was targeted by Chinese hackers, and some employees’ computers were infected, according to a person with knowledge of the company’s internal investigation, after Bloomberg published an article on June 29 about the wealth accumulated by relatives of Xi Jinping, China’s vice president at the time. Mr. Xi became general secretary of the Communist Party in November and is expected to become president in March. Ty Trippet, a spokesman for Bloomberg, confirmed that hackers had made attempts but said that “no computer systems or computers were compromised.”
Signs of a Campaign
The mounting number of attacks that have been traced back to China suggest that hackers there are behind a far-reaching spying campaign aimed at an expanding set of targets including corporations, government agencies, activist groups and media organizations inside the United States. The intelligence-gathering campaign, foreign policy experts and computer security researchers say, is as much about trying to control China’s public image, domestically and abroad, as it is about stealing trade secrets.
Security experts said that beginning in 2008, Chinese hackers began targeting Western journalists as part of an effort to identify and intimidate their sources and contacts, and to anticipate stories that might damage the reputations of Chinese leaders.
In a December intelligence report for clients, Mandiant said that over the course of several investigations it found evidence that Chinese hackers had stolen e-mails, contacts and files from more than 30 journalists and executives at Western news organizations, and had maintained a “short list” of journalists whose accounts they repeatedly attack.
While computer security experts say China is most active and persistent, it is not alone in using computer attacks for a variety of national purposes, including corporate espionage. The United States, Israel, Russia and Iran, among others, are suspected of developing and deploying cyberweapons.
The United States and Israel have never publicly acknowledged it, but evidence indicates they released a sophisticated computer virus in 2012 that attacked and caused damage at Iran’s main nuclear enrichment plant. Iran is believed to have responded with computer attacks on targets in the United States, including American banks and foreign oil companies.
Russia is suspected of having used computer attacks during its war with Georgia in 2008.
The following account of the attack on The Times — which is based on interviews with Times executives, reporters and security experts — provides a glimpse into one such spy campaign.
After The Times learned of warnings from Chinese government officials that its investigation of the wealth of Mr. Wen’s relatives would “have consequences,” executives on Oct. 24 asked AT&T, which monitors The Times’s computer network, to watch for unusual activity.
On Oct. 25, the day the article was published online, AT&T informed The Times that it had noticed behavior that was consistent with other attacks believed to have been perpetrated by the Chinese military.
The Times notified and voluntarily briefed the Federal Bureau of Investigation on the attacks and then — not initially recognizing the extent of the infiltration of its computers — worked with AT&T to track the attackers even as it tried to eliminate them from its systems.
But on Nov. 7, when it became clear that attackers were still inside its systems despite efforts to expel them, The Times hired Mandiant, which specializes in responding to security breaches. Since learning of the attacks, The Times — first with AT&T and then with Mandiant — has monitored attackers as they have moved around its systems.
Hacker teams regularly began work, for the most part, at 8 a.m. Beijing time. Usually they continued for a standard work day, but sometimes the hacking persisted until midnight. Occasionally, the attacks stopped for two-week periods, Mandiant said, though the reason was not clear.
Investigators still do not know how hackers initially broke into The Times’s systems. They suspect the hackers used a so-called spear-phishing attack, in which they send e-mails to employees that contain malicious links or attachments. All it takes is one click on the e-mail by an employee for hackers to install “remote access tools” — or RATs. Those tools can siphon off oceans of data — passwords, keystrokes, screen images, documents and, in some cases, recordings from computers’ microphones and Web cameras — and send the information back to the attackers’ Web servers.
Michael Higgins, chief security officer at The Times, said: “Attackers no longer go after our firewall. They go after individuals. They send a malicious piece of code to your e-mail account and you’re opening it and letting them in.”
Lying in Wait
Once hackers get in, it can be hard to get them out. In the case of a 2011 breach at the United States Chamber of Commerce, for instance, the trade group worked closely with the F.B.I. to seal its systems, according to chamber employees. But months later, the chamber discovered that Internet-connected devices — a thermostat in one of its corporate apartments and a printer in its offices — were still communicating with computers in China.
In part to prevent that from happening, The Times allowed hackers to spin a digital web for four months to identify every digital back door the hackers used. It then replaced every compromised computer and set up new defenses in hopes of keeping hackers out.
“Attackers target companies for a reason — even if you kick them out, they will try to get back in,” said Nick Bennett, the security consultant who has managed Mandiant’s investigation. “We wanted to make sure we had full grasp of the extent of their access so that the next time they try to come in, we can respond quickly.”
Based on a forensic analysis going back months, it appears the hackers broke into The Times computers on Sept. 13, when the reporting for the Wen articles was nearing completion. They set up at least three back doors into users’ machines that they used as a digital base camp. From there they snooped around The Times’s systems for at least two weeks before they identified the domain controller that contains user names and hashed, or scrambled, passwords for every Times employee.
While hashes make hackers’ break-ins more difficult, hashed passwords can easily be cracked using so-called rainbow tables — readily available databases of hash values for nearly every alphanumeric character combination, up to a certain length. Some hacker Web sites publish as many as 50 billion hash values.
Investigators found evidence that the attackers cracked the passwords and used them to gain access to a number of computers. They created custom software that allowed them to search for and grab Mr. Barboza’s and Mr. Yardley’s e-mails and documents from a Times e-mail server.
Over the course of three months, attackers installed 45 pieces of custom malware. The Times — which uses antivirus products made by Symantec — found only one instance in which Symantec identified an attacker’s software as malicious and quarantined it, according to Mandiant.
A Symantec spokesman said that, as a matter of policy, the company does not comment on its customers.
The attackers were particularly active in the period after the Oct. 25 publication of The Times article about Mr. Wen’s relatives, especially on the evening of the Nov. 6 presidential election. That raised concerns among Times senior editors who had been informed of the attacks that the hackers might try to shut down the newspaper’s electronic or print publishing system. But the attackers’ movements suggested that the primary target remained Mr. Barboza’s e-mail correspondence.
“They could have wreaked havoc on our systems,” said Marc Frons, the Times’s chief information officer. “But that was not what they were after.”
What they appeared to be looking for were the names of people who might have provided information to Mr. Barboza.
Mr. Barboza’s research on the stories, as reported previously in The Times, was based on public records, including thousands of corporate documents through China’s State Administration for Industry and Commerce. Those documents — which are available to lawyers and consulting firms for a nominal fee — were used to trace the business interests of relatives of Mr. Wen.
A Tricky Search
Tracking the source of an attack to one group or country can be difficult because hackers usually try to cloak their identities and whereabouts.
To run their Times spying campaign, the attackers used a number of compromised computer systems registered to universities in North Carolina, Arizona, Wisconsin and New Mexico, as well as smaller companies and Internet service providers across the United States, according to Mandiant’s investigators.
The hackers also continually switched from one I.P. address to another; an I.P. address, for Internet protocol, is a unique number identifying each Internet-connected device from the billions around the globe, so that messages and other information sent by one device are correctly routed to the ones meant to get them.
Using university computers as proxies and switching I.P. addresses were simply efforts to hide the source of the attacks, which investigators say is China. The pattern that Mandiant’s experts detected closely matched the pattern of earlier attacks traced to China. After Google was attacked in 2010 and the Gmail accounts of Chinese human rights activists were opened, for example, investigators were able to trace the source to two educational institutions in China, including one with ties to the Chinese military.
Security experts say that by routing attacks through servers in other countries and outsourcing attacks to skilled hackers, the Chinese military maintains plausible deniability.
“If you look at each attack in isolation, you can’t say, ‘This is the Chinese military,’ ” said Richard Bejtlich, Mandiant’s chief security officer.
But when the techniques and patterns of the hackers are similar, it is a sign that the hackers are the same or affiliated.
“When you see the same group steal data on Chinese dissidents and Tibetan activists, then attack an aerospace company, it starts to push you in the right direction,” he said.
Mandiant has been tracking about 20 groups that are spying on organizations inside the United States and around the globe. Its investigators said that based on the evidence — the malware used, the command and control centers compromised and the hackers’ techniques — The Times was attacked by a group of Chinese hackers that Mandiant refers to internally as “A.P.T. Number 12.”
A.P.T. stands for Advanced Persistent Threat, a term that computer security experts and government officials use to describe a targeted attack and that many say has become synonymous with attacks done by China. AT&T and the F.B.I. have been tracking the same group, which they have also traced to China, but they use their own internal designations.
Mandiant said the group had been “very active” and had broken into hundreds of other Western organizations, including several American military contractors.
To get rid of the hackers, The Times blocked the compromised outside computers, removed every back door into its network, changed every employee password and wrapped additional security around its systems.
For now, that appears to have worked, but investigators and Times executives say they anticipate more efforts by hackers.
“This is not the end of the story,” said Mr. Bejtlich of Mandiant. “Once they take a liking to a victim, they tend to come back. It’s not like a digital crime case where the intruders steal stuff and then they’re gone. This requires an internal vigilance model.”

没有评论:

发表评论

页面