When hacks get hacked

Investigators at Mandiant, a small company that mops up big cyber messes, have seen it all. They usually can’t talk about any of it, because most clients would rather not trouble consumers, investors or business relations with harrowing tales of stolen passwords and hacked email.

That’s not the case in the matter of the hacking of the New York Times, allegedly by the Chinese government and possibly by the Chinese military. We're about to see if dragging hackers into the public square makes any difference at all.

The Times company has given Mandiant the green light to talk about the investigation it began in November, including the evidence it says it gathered of official Chinese involvement.

One revelation is that the targeted nature of the hacking -- against 53 computers at various New York Times sites -- was not particularly unusual and required no technical breakthroughs on the part of the hackers.

“People have been asking, ‘Is this a new trend that we’re seeing?’” said Mandiant’s Nick Bennett, who managed the investigation. “I would say no, it’s not a new trend. The only thing unique about this particular situation is that the New York Times decided to come out and talk about it,” he told Deep Dive.

The hackers seemed most interested in the computer and email of Shanghai Bureau Chief David Barboza. He’s the author of an October article detailing the wealth amassed by China’s Prime Minister Wen Jiaboa.

Why does Mandiant think the hackers were working for the Chinese military? Because their work matches the pattern of other cases believed attributable to the Chinese military, and because they were “stealing data that matches Chinese interests,” Bennett said.

The Times company turned to Mandiant in November after AT&T reported suspicious network traffic. Mandiant worked clandestinely at first to learn everything it could about the tactics of the hackers without alerting them. Forensics suggest that the hackers entered the network in September.

The New York Times published a 2,400-word feature Jan. 30 laying out the evidence for Chinese government or military involvement and quoting a strong denial from the Chinese military.

The Times felt confident enough about the evidence to run a photo of Wen, the prime minister, as the teaser for a video accompanying the article.

The Times contends that the Chinese targeted Barboza’s email account in the erroneous belief that he had cultivated a Chinese “Deep Throat,” meaning a human source. In fact, Barboza pieced the story together from public information, says reporter Nicole Perlroth, in the video.

The moxy of the Times will be a good test of what happens when suspected hackers are outed and their victims go public.

The wisdom of that strategy has been a hard sell in other business sectors. The Securities and Exchange Commission had poor response last year to a new guideline urging businesses to disclose hacking incidents in their regulatory filings, reported the Insurance Journal and Reuters.

In the Times case, the revelation by one company led to a dam break of similar revelations. The Wall Street Journal followed with a report saying its computers had been broken into too. The Washington Post, responding to an account by Brian Krebs of the “Krebs on Security” blog, confirmed that it, too, was a victim of hacking from China. The Post reported it brought in Mandiant in 2011 to neutralize Chinese attacks that began as far back as 2008. The Post took exception with a claim that it turned over one of its servers to the National Security Agency and Defense Department for analysis. A spokeswoman was quoted expressing confidence that such a turnover did not happen.

The coming months will tell us whether this sudden openness can extend beyond the media sector, or whether newspapers have a built-in incentive to let readers know the Chinese government fears them too.