Anatomy of a Breach

Anatomy of a Breach: The New York Times — Four Months of Chinese Espionage Targeting Journalists

> series: anatomy_of_a_breach —— part: 049 —— target: new_york_times —— attacker: apt1_unit_61398 —— duration: 4_months<span class="cursor-blink">_</span>_

Hedgehog Security 31 January 2013 13 min read
data-breach new-york-times apt1 china journalist-surveillance espionage spear-phishing series
Breach #049

China did not want this story published. So they hacked the newspaper.

On 30 January 2013, the New York Times disclosed that Chinese hackers had infiltrated its computer network and maintained access for approximately four months. The attackers specifically targeted the email accounts and passwords of reporters who had been investigating the personal wealth of the family of Wen Jiabao, then-Premier of China. The investigation, which documented how Wen's relatives had accumulated billions of dollars in assets, was published in October 2012 — and the cyber intrusion began around the same time, suggesting the attackers were seeking to identify the Times' sources within China.

Security firm Mandiant, hired by the Times to investigate, traced the attacks to the same Chinese military unit — the People's Liberation Army Unit 61398, also known as APT1 — that had been linked to Operation Aurora and Nortel's decade-long compromise. The attackers installed 45 pieces of custom malware on Times systems, none of which were detected by the newspaper's Symantec anti-virus software. Mandiant would publish its landmark APT1 report the following month, publicly identifying Unit 61398 and documenting its campaigns against 141 organisations across 20 industries.

The Attack
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Spear-phishing, custom malware, and anti-virus evasion.

NYT Breach — Kill Chain
── Initial Access ──────────────────────────────────────────
Spear-phishing emails targeting Times employees
Malware deployed — 45 custom samples installed
Zero detections by Symantec anti-virus

── Lateral Movement ────────────────────────────────────────
Passwords of every Times employee cracked
External access gained to 53 employee computers
Specific targeting of China bureau reporters

── Objective ───────────────────────────────────────────────
Identify confidential sources for Wen Jiabao investigation
Monitor email communications of China correspondents
No evidence of intellectual property theft
Objective was intelligence, not data theft
Why This Matters

Nation-state targeting extends beyond defence and technology.

The Times breach expanded the known target set for Chinese state-sponsored espionage. Previous campaigns — Aurora, Shady RAT, Nortel — had targeted technology companies, defence contractors, and international organisations. The Times breach showed that any organisation whose activities intersect with a foreign government's political sensitivities can become a target. Media organisations, NGOs, law firms handling cross-border disputes, and professional services firms advising on international transactions all fall within this expanded threat model.

Media as a Target
The Times was targeted because of its journalism — specifically, investigative reporting that embarrassed the Chinese government. Any media organisation, law firm, or consultancy whose work touches politically sensitive topics faces the same risk. Our <a href="/blog/sector-under-the-microscope-professional-services">professional services analysis</a> examines this cross-sector threat.
Anti-Virus Failed Completely
45 custom malware samples, zero anti-virus detections. The attackers tested their malware against AV products before deployment — the same technique <a href="/blog/anatomy-of-a-breach-gonzalez-indictment">Gonzalez</a> and <a href="/blog/anatomy-of-a-breach-mariposa-botnet">Mariposa</a> used. Signature-based AV is necessary but insufficient. <a href="https://www.socinabox.co.uk">SOC in a Box</a> uses behavioural detection alongside signatures to catch the malware that AV misses.
Source Protection Is a Security Issue
The attackers' objective was to identify the Times' confidential sources — people inside China who had provided information about Wen Jiabao's family wealth. If those sources were identified, the consequences could include imprisonment or worse. Source protection is not just an editorial concern — it is a security concern that requires technical controls.
Detection Required External Help
The Times detected unusual activity but required Mandiant's expertise to investigate and remediate. Mandiant's subsequent <a href="/blog/apt1-the-persistent-data-hoarder">APT1 report</a> publicly attributed the attacks to Unit 61398 — a watershed moment in threat intelligence. For <a href="https://www.cyber-defence.io/services/threat-intelligence">threat intelligence</a> and <a href="https://www.cyber-defence.io/services/incident-response">incident response</a>, UK Cyber Defence provides the expertise organisations need when sophisticated intrusions are detected.
Defence

Protecting against targeted nation-state espionage.

The Times breach reinforces the need for defence-in-depth against APT-level threats. Our red team engagements simulate APT techniques including custom malware, AV evasion, and targeted phishing. Social engineering assessments test staff resilience. SOC in a Box provides 24/7 behavioural monitoring that catches the lateral movement and data access patterns that define APT intrusions. Cyber Essentials establishes baseline controls. And UK Cyber Defence provides the incident response and forensic investigation capability when an intrusion is detected.

APT Defence

If China hacked the New York Times over a story, what would they do to access your clients' data?

Our <a href="/penetration-testing/red-team">red team engagements</a> simulate APT-level attacks. <a href="https://www.socinabox.co.uk">SOC in a Box</a> detects what AV misses. Because nation-state targeting is no longer limited to defence contractors.

Commission a Red Team Test Next: Watering Hole — Silicon Valley
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 May 2015

Anatomy of a Breach: US Office of Personnel Management — 21.5 Million Security Clearances Stolen by China

Breach #077. In June 2015, the US Office of Personnel Management disclosed two related breaches that compromised the records of 21.5 million current and former federal employees and contractors — including 5.6 million fingerprint records and detailed security clearance investigation files (SF-86 forms) containing information about finances, foreign contacts, mental health, drug use, and personal relationships. Attributed to Chinese state-sponsored hackers, the OPM breach was described as the most damaging theft of intelligence data in US history — a treasure trove for foreign intelligence services.

data-breach opm
14 min read
Anatomy of a Breach 28 February 2012

Anatomy of a Breach: Nortel Networks — A Decade of Chinese Espionage Hidden in Plain Sight

Breach #038. In February 2012, it was revealed that Chinese state-sponsored hackers had maintained persistent access to Nortel Networks — the Canadian telecommunications giant — for nearly a decade, from at least 2000 until the company's bankruptcy in 2009. The attackers used stolen executive passwords to access strategic planning documents, research and development data, and business plans. The breach was known internally but never adequately addressed. When Nortel's assets were sold during bankruptcy — including patents acquired by Apple, Microsoft, and others — the question was whether the buyers had also acquired compromised infrastructure.

data-breach nortel
13 min read
Anatomy of a Breach 31 July 2023

Anatomy of a Breach: Barracuda ESG — The Security Appliance So Compromised That 'Replace, Don't Patch' Was the Only Answer

Breach #175. In May 2023, Barracuda Networks disclosed that a zero-day vulnerability (CVE-2023-2868) in its Email Security Gateway (ESG) appliance had been exploited since at least October 2022 — seven months of undetected access. The attack, attributed to a Chinese espionage group (UNC4841), deployed persistent backdoors on the appliances. On 6 June, Barracuda took the extraordinary step of advising all customers with compromised ESG appliances to physically replace the hardware — stating that patching was insufficient because the attackers' persistence mechanisms could survive software updates. It was the first time a major vendor had told customers to throw away their security appliances.

barracuda esg
13 min read
All Posts Get in Touch