The Washington Post was among several major U.S. newspapers that spent much of 2012 trying to untangle its newsroom computer networks from a Web of malicious software thought to have been planted by Chinese cyberspies, according to a former information technology employee at the paper.
On Jan. 30, The New York Times disclosed that Chinese hackers had persistently attacked the Gray Lady, infiltrating its computer systems and getting passwords for its reporters and other employees. The Times said that the timing of the attacks coincided with the reporting for a Times investigation, published online on Oct. 25, that found that the relatives of Wen Jiabao, China’s prime minister, had accumulated a fortune worth several billion dollars through business dealings.
The following day, The Wall Street Journal ran a story documenting similar incursions on their network. Now, a former Post employee is coming forward with information suggesting that Chinese hacker groups had broadly compromised computer systems within the Post’s newsroom and other operations throughout 2012.
According to a former Washington Post information technology employee who helped respond to the break-in, attackers compromised at least three servers and a multitude of desktops, installing malicious software that allowed the perpetrators to maintain access to the machines and the network.
“They transmitted all domain information (usernames and passwords),” the former Post employee said on condition of anonymity. “ We spent the better half of 2012 chasing down compromised PCs and servers. [It] all pointed to being hacked by the Chinese. They had the ability to get around to different servers and hide their tracks. They seemed to have the ability to do anything they wanted on the network.”
The Post has declined to comment on the source’s claims, saying through a spokesman that “we have nothing to share at this time.” But according to my source, the paper brought in several computer forensics firms – led by Alexandria, Va. based Mandiant - to help diagnose the extent of the compromises and to evict the intruders from the network. Mandiant declined to comment for this story.
Update, Feb. 2, 7:42 a.m. ET: The Post has published its own story confirming my source’s claims.
The former Post employee also noted that experts from the National Security Agency and Defense Department took one of the Post’s servers for forensic analysis.
“Quickly we had 3-4 different security companies come in and help track down what was compromised and where info was being sent to,” the source said. “Supposedly they found a new trojan and sent the information to Symantec in order to create a signature to find it.”
The Washington Post used Symantec’s antivirus and security software to protect systems from malicious software, but that detection obviously failed here. The New York Times also said it had relied on Symantec’s software, prompting the company to issue a somewhat defensive and terse statement that took the unusual step of commenting on a story about a customer, according to The Register.
As tweeted yesterday by Mandiant chief security officer Richard Bejtlich, what was rare about the New York Times hack was not that it happened, but that they disclosed so much information about it. I hope The Washington Post is as forthcoming about their experience. As security blogger Gunnar Peterson noted in an email exchange with KrebsOnSecurity, more surprising would be a major newspaper outlet that wasn’t hacked by the Chinese.
Peterson quipped that it may be some kind of “perverse journalistic badge of honor: If no one is hacking you [does it suggest that] your reporting doesn’t matter?”
Indeed, I would be surprised if we didn’t hear similar disclosures from a number of other major news media outlets in the coming days and weeks. Full disclosure: I should note that I got my start writing about technology and security for The Washington Post back in the early part of the last decade after having my home network completely overrun by a computer worm unleashed by one of China’s most celebrated hackers.