Home > Analysis, media > Chinese hackers hacking Western journalists to want to know what they THINK about China?

Chinese hackers hacking Western journalists to want to know what they THINK about China?

What’s the most absurd nonsense that’s out there in the American press lately? Now that the Wall Street Journal has jumped into the fray, asserting, “Chinese Hackers Hit U.S. Media,” I thought the paper would at least cite some hard evidence. Alas, no. Instead, when you see the whole article premised on “people familiar with incidents said” or “several people familiar with the response to the cyberattacks said,” well, what can you say? Perhaps there is a career in journalism in quoting cats and dogs too. But I must give the WSJ credit for interviewing Chinese Embassy spokesman Geng Shuang, who condemned the allegations: “It is irresponsible to make such an allegation without solid proof and evidence. The Chinese government prohibits cyberattacks and has done what it can to combat such activities in accordance with Chinese laws.”

Could there be something more absurd? WSJ quoted Richard Betjlich, chief security officer with the computer-security company Mandiant Corp., whom NYT hired to investigate its breach:

“It’s part of this overall story that the Chinese want to know what the West thinks of them. What slant is the media going to take on them? Who are their sources?”

Truly moronic. Wouldn’t it be easier to simply read the articles rather than hacking to understand what the Western media thinks of them?

But, wait a minute, Betjlich has not revealed hard evidence the hackers are even Chinese. The fact that the IP’s traced to some computers in China means nothing, just as many U.S. universities computers were also hops along the same route used by the hackers dismissed as culprit.

Let’s assume the hackers are indeed physically within China, so does that then mean the entire nation is guilty? Since when did American hackers who steal other’s identity represent the whole of America?

Obviously, no one should be condoning hacking. In fact, U.S. and China should cooperate to chase down hackers.

So, as the Chinese Embassy spokesman Geng Shuang said, it is indeed irresponsible to make such allegations without solid proof and evidence. So far, these WSJ and NYT articles speak more about these U.S. media than anything else.

Such behavior in these media’s part is really the same sort of nastiness already articulated in this excellently written piece by melektaus, “Collective Defamation,” which is also under our featured posts section.

[Update Feb 6, 2013]
The following article by Constantine von Hoffman over at the CIO magazine deserves a read (h/t Black Phoenix).

NYT, WSJ Forget the Facts in Stories About Their Own Hacks

After getting hacked last week, both The Wall Street Journal and The New York Times irresponsibly published allegations about the hackers without the necessary facts to support them.

Posted February 04, 2013

Both The New York Times and The Wall Street Journal were hacked last week, and the incidents made headlines not because they were a big deal but because the press loves to talk about itself. In this case, the talk came in the form of some appallingly bad reporting.

The attacks themselves apparently don’t matter because the hackers–assumed to be Chinese, though I have yet to see any facts that substantiates this–didn’t get any sensitive information. That’s probably because these new sources have precious little sensitive information to be found. As The WSJ points out:

“Journal sources on occasion have become hard to reach after information identifying them was included in emails. However, Western reporters in China long have assumed that authorities are monitoring their communications and act accordingly in sensitive cases.”

This fact did not prevent The Journal from running a story that implies something big happened. From that story:

“Chinese hackers believed to have government links have been conducting wide-ranging electronic surveillance of media companies including The Wall Street Journal, apparently to spy on reporters covering China and other issues, people familiar with the incidents said.”

A WSJ article about something that happened at the WSJ can’t name the source of the information?!?! Whose identity is being protected and why?

The story later says these attacks have been going on for years. Newspapers are no different than any other businesses in this respect, so why are the hacks now news?

The Times tried to link the intrusion to its superb reporting about the finances of Chinese leaders:

 “The timing of the attacks coincided with the reporting for a Times investigation, published online on Oct. 25, that found that the relatives of Wen Jiabao, China’s prime minister, had accumulated a fortune worth several billion dollars through business dealings.”

Correlation isn’t proof, folks. But The Times does its damndest to make a circumstantial case against China:

  • “The hackers tried to cloak the source of the attacks on The Times by first penetrating computers at United States universities and routing the attacks through them, said computer security experts at Mandiant, the company hired byThe Times. This matches the subterfuge used in many other attacks that Mandiant has tracked to China.”
  • “The malware was identified by computer security experts as a specific strain associated with computer attacks originating in China.”
  • “More evidence of the source, experts said, is that the attacks started from the same university computers used by the Chinese military to attack United States military contractors in the past.”
  • “The attacks appear to be part of a broader computer espionage campaign against American news media companies that have reported on Chinese leaders and corporations.”
  • “Last year, Bloomberg News was targeted by Chinese hackers, and some employees’ computers were infected, according to a person with knowledge of the company’s internal investigation.”
  • “The mounting number of attacks that have been traced back to China suggest that hackers there are behind a far-reaching spying campaign.”
  • “Security experts said that beginning in 2008, Chinese hackers began targeting Western journalists.” (Well, if unnamed security experts say so it must be true.)
  • “On Oct. 25, the day the article was published online, AT&T informed The Timesthat it had noticed behavior that was consistent with other attacks believed to have been perpetrated by the Chinese military.”

Unless The Times has figured out how to positively identify the source of a cyber attack, something no one else has done, not a single one of those claims is verifiable.

It is embarrassing that an article in The NYT makes so many accusations without facts to support them. The Journal story isn’t any better. The only voice in the story that raises reasonable criticism of the allegations is a Chinese government spokesman:

“Cyber attacks are transnational and anonymous. It’s very hard to trace the source of attack,” he said. “To presume the source of a hacking attack based on speculation is irresponsible and unprofessional.”

All three of those sentences are true but since we’ve been told China is behind the attacks his comment is already discredited.

It certainly wouldn’t surprise me to find out that China was indeed behind the attacks. However, the truth is that we do not know. In journalism to presume the source ofanything “based on speculation is irresponsible and unprofessional.”

(My deepest sympathies go to the reporters who got stuck writing these articles. There is nothing worse than writing a story about a news event involving your own newspaper. It is quite possible that the articles published bear little resemblence to the articles the reporters submitted to their editors. I have seen it happen many times under similar circumstances.)

Constantine von Hoffman writes CIO.com’s IT Security Hack blog. Follow Constantine on Twitter @CurseYouKhan. Follow everything from CIO.com on Twitter @CIOonlineand on Facebook. Email Constantine at cvon@areporter.com.

Read Constantine ‘s bio

Categories: Analysis, media Tags:
  1. February 1st, 2013 at 00:59 | #1

    I’d have preferred to the original New York Times article that started this current stream of me, too, I am attacked stories. This must be a popular article. It now even has a video attached.

    Problem with this story (and WSJ story and all Western stories of Chinese attacks) is that it is based on insinuations. It presents a “plausible” motive that attackers in China – perhaps attackers affiliated with the Chinese government – and point to some attacks that occurred in some time frame consistent with that motive – and voila – frontpage news on the New York Times!

    In this current case, the NYT speculates, it has been attacked after its major stories on wealth of top Chinese officials or their extended families (wen jia bao being a focus in this case). The attacks have been traced back to some Chinese IP’s, hence, the Chinese, the Chinese gov’t in fact, must be behind this.

    Problem: you can find attacks all the time from everywhere. There was a story last month in Forbes, for example, that showed a dramatic increase in cyber attacks on Chinese computers from Japan and S. Korea that are ultimately traced to the U.S. Just a few months ago, I read a story where Sarkosy’s staff was allegedly by hackers in the U.S. (of course no grand denouncement of Americans or the American gov’t there in general)

    So it means nothing if you can cite some attacks. The attacks are always there for you to selectively cite to support whatever theory you want.

    As for the Chinese IP addresses? They also mean nothing…

    Science and engineering experts know that tracing attacks back to its origins is practically next to impossible (see, e.g., this Scientific American article). And as we’ve covered before in many posts (see e.g. this), even if you can trace one hop back to some country, it doesn’t mean you’ve reached the control host. Many U.S. attackers create accounts in third party countries only to attack targets in the U.S. Just because you can trace some attacks to Chinese ip addresses mean nothing. I doubt NY Times (or WSJ) worked with Chinese authorities to figure out the nature of those Chinese ip. They are known to make the mistake of a hair vocational school for a Chinese special cyber warfare unit.

    So where is the proof?

    Well … it’s actually a guess, really.

    See, buried toward the end of the NYT story, the story concedes:

    Tracking the source of an attack to one group or country can be difficult because hackers usually try to cloak their identities and whereabouts.

    “If you look at each attack in isolation, you can’t say, ‘This is the Chinese military,’ ” said Richard Bejtlich, Mandiant’s chief security officer.

    But when the techniques and patterns of the hackers are similar, it is a sign that the hackers are the same or affiliated.

    “When you see the same group steal data on Chinese dissidents and Tibetan activists, then attack an aerospace company, it starts to push you in the right direction,” he said.

    Mandiant has been tracking about 20 groups that are spying on organizations inside the United States and around the globe. Its investigators said that based on the evidence — the malware used, the command and control centers compromised and the hackers’ techniques — The Times was attacked by a group of Chinese hackers that Mandiant refers to internally as “A.P.T. Number 12.”

    A.P.T. stands for Advanced Persistent Threat, a term that computer security experts and government officials use to describe a targeted attack and that many say has become synonymous with attacks done by China. AT&T and the F.B.I. have been tracking the same group, which they have also traced to China, but they use their own internal designations.

    Mandiant said the group had been “very active” and had broken into hundreds of other Western organizations, including several American military contractors.

    Read carefully … so Mandiant admits you can’t say where the attacks really originate from if you look at each attack.

    But it thinks all these attacks are related and are due to one group it calls APT #12 and that APT #12 is a Chinese group (a government group, in fact). The reason is because these attacks are “similar” and look “Chinese.”

    “[T]he malware used, the command and control centers compromised and the hackers’ techniques.”

    Well, hackers share data all the time. That’s why microsoft, virus checkers periodically release “definitions” for worms, viruses, etc. Hackers share information. Similar techniques come in waves. Simply waving empty gestures that these attacks share similar techniques mean nothing.

    I wonder what “techniques” were exposed. This is the crux of the story – but NYT fails to release any detail!

    So what you are left in the end is that these attacks are Chinese attacks because we suspect it.

    “When you see the same group steal data on Chinese dissidents and Tibetan activists, then attack an aerospace company, it starts to push you in the right direction.”

    That’s really the gist of the story. That’s the foundation.

    And the NYT has deemed it among “all the news that’s fit to print…”

    And enough to plaster a big picture of a Chinese flag and a Chinese leader on the story.

  2. pug_ster
    February 1st, 2013 at 01:34 | #2

    If China did used some kind of malware to attack these computers, the type of malware used should be extracted from the US universities and be explained in great length like the stuxnet worm. But where is that proof?

  3. February 2nd, 2013 at 16:41 | #3

    Wow, this is truly a new low in terms of moronic delusions. So on the one hand, the “evil chi-coms” are clever enough to hack into the IT systems of US media outlets, but on the other hand so stupid that they can’t figure out what journalists are thinking just by reading their publicly available articles & op-eds.

    For me, its pretty easy to see what this WSJ journalists thinks of China – apparently we’re a nation of cartoonishly stupid evil geniuses.

  4. pug_ster
    July 25th, 2013 at 13:45 | #4


    Lol, Russian hackers probably cause more damage than China allegedly did.

Time limit is exhausted. Please reload the CAPTCHA.