英媒：美國應如何應對中國網絡攻擊？紐約時報遭中國駭客連續四個月的攻擊Hackers in China Attacked The Times for Last 4 Months

 

英媒：美國應如何應對中國網絡攻擊？

更新時間 2013年2月22日, 格林尼治標準時間19:10

Mandiant 的報告指責中國黑客盜取商業機密

最新一期英國《經濟學人》雜誌發表的一篇文章說，越來越多的證據顯示，中國政府正在支持盜竊美國公司商業機密的網絡攻擊活動。美國現在面臨的問題是：如何制止中國的這一行動？

文章說，情報機構和私營網絡安全公司的專家多年來一直在對中國黑客盜竊西方國家企業機密的問題發出警告。但是，中國方面對此一直予以否認。

但是在2月19日美國網絡安全公司Mandiant發表一份內容詳盡的報告之後，情況發生了變化。
這份報告的震撼之處在於，中國的這個計算機黑客團伙實際上是駐扎在上海金融區附近一座辦公大樓裏的一支番號為「61398」的人民解放軍精銳部隊。
「公開示眾」
《經濟學人》的文章援引在北京的技術專家畢曉普（Bill Bishop）的話說，Mandiant公司的這份報告是美國為促使中國控制其黑客而採取的新的「公開示眾」政策的一部分。
畢曉普表示，這可能奏效，但是他也擔心如果美國逼得太緊，中國新領導人可能會感到沒有退路。在軍隊和公眾輿論的壓力之下，中國當局可能會變得變本加厲。
美國智庫對外關係委員會的西格爾（Adam Segal）說，美國必須以經濟制裁和簽證限制等手段做出回應，增加盜竊知識產權行為的成本，讓中國感到自己有軟處。
《經濟學人》的文章指出，美國政府在2月20日公布了新的政策文件，決定加強打擊盜竊美國商業機密行為的手段，並且在文件中特別顯著地提到中國。
轉折點
文章說，許多公司過去往往不願意承認自己受到黑客攻擊，因為擔心這樣做會提示對手或引起投資者的不安。Mandiant的最新報告也許標誌著一個轉折點，顯示各個公司開始把共同的安全放在第一位。
在北京的中國美國商會會長孟克文（Christian Murck）把這種沉默同十多年前有關假冒產品出現的沉默做了對比。
他說，當時假冒產品在中國是一個非常嚴重的問題，但是西方公司擔心自己的品牌受到影響，不敢聲張。
孟克文說，各家公司後來聯合行動，分享信息，敦促加強立法和執法。假冒產品問題依然廣泛存在，但已得到控制。估計對黑客問題最終也會是這樣。
對中國的希望
與此同時，網絡攻擊的西方受害者還抱著另一個希望。那就是，中國最好的一些公司對待盜竊知識產權行為的態度正在轉變。
例如，中國電訊設備生產商華為公司和中興公司就為盜竊知識產權的問題出現爭執。中國醫療設備生產商邁瑞公司也曾經以盜竊設計方案的指控把自己的前雇員告上法庭。
也就是說，中國公司正在開始創造自己的有價值的知識產權，這將增加保護知識產權的法制要求，也會促使這些公司要求自己的雇員尊重知識產權。
《經濟學人》的文章最後說，來自國外的壓力對中國來說仍然是關鍵的，尤其是考慮到中國法庭的決定仍然能夠受到收買和操縱。外部的壓力和內部的知識產權意識也許會產生效果，但是未來的變化可能會是非常緩慢的。

 

 

 

紐約時報遭中國黑客連續數月攻擊

NICOLE PERLROTH 報道 2013年01月31日

舊金山——在過去四個月的時間裡，中國黑客一直不斷攻擊《紐約時報》，侵入公司電腦，盜取記者和其他員工的密碼。
經過秘密跟蹤侵入者，研究他們的舉動，並建立更好的防禦系統阻止入侵，《紐約時報》及電腦安全專家已經驅逐了侵入者，並阻止了他們繼續入侵。

按圖放大

黑客入侵料與《紐約時報》關於溫家寶家人隱秘財富的報道有關。

黑客入侵正好發生在《紐約時報》10月25日發表一篇調查報道的時候。報道發現，中國總理溫家寶的親屬通過商業交易積累了價值幾十億美元的財富。
《紐約時報》聘請了安全專家偵測並阻止電腦攻擊，他們收集的數字證據說明，中國黑客侵入了《紐約時報》的電腦網絡。據此前技術諮詢人士的分析，他們 使用的技術與中國軍方有關。黑客侵入了《紐約時報》上海分社社長張大衛(David Barboza)以及印度的南亞分社社長楊金新(Jim Yardley)的郵箱；前者發表了有關溫家寶親屬的那篇文章，後者之前是《紐約時報》北京分社社長。
《紐約時報》執行主編吉爾·阿布拉姆松(Jill Abramson) 說，“計算機安全專家沒有發現證據證明，一些與溫家寶家族的文章有關的敏感郵件和文件遭人入侵、下載或複製。”
《紐約時報》聘請的Mandiant公司的計算機安全專家表示，黑客試圖掩蓋針對《紐約時報》的攻擊的源頭，他們首先入侵美國大學的電腦，然後通過那些電腦實施攻擊。Mandiant此前偵測到的多次源自中國的黑客攻擊，手法與此相符。
黑客首先安裝惡意軟件，從而得以侵入《紐約時報》網絡的任何一台電腦。計算機安全專家確認，這種惡意軟件是一種與來自中國的計算機攻擊有關的軟件。此外，發動這些攻擊的電腦正是此前中國軍方曾用來攻擊美軍承包商的電腦，這也為黑客的來源提供了更多證據。
安全專家找到證據證明，黑客盜取了公司所有員工的密碼，並利用密碼入侵了53台員工的電腦，涉及的員工多數不在《紐約時報》的編輯部。安全專家沒有發現證據說明黑客利用盜取的密碼尋找與溫家寶家族相關報道無關的信息。
安全專家表示，《紐約時報》的客戶數據沒有丟失。
當被問及有證據顯示黑客來自中國，而且可能與軍方有關，中國國防部稱，“中國法律禁止包括黑客行為在內的任何破壞網絡安全的行為。”國防部補充道，“沒有充分證據就指責中國軍隊進行網絡攻擊，是不專業的，沒有根據的。”
這些攻擊似乎是對美國新聞媒體公司展開的廣泛的計算機偵查活動的一部分。這些媒體都報道過中國領導人及中國公司的情況。
一位熟知彭博社內部調查的人士說，去年，彭博社於7月29日刊發一篇文章，報道習近平家人聚斂的財富。隨後，彭博社被中國黑客瞄準，一些僱員的電腦 感染病毒。習近平當時是中國副主席，去年11月，他成為中國共產黨總書記，並且將在今年3月就任國家主席。彭博社發言人崔普特(Ty Trippet)證實，黑客曾試圖入侵，但是“沒有計算機系統或計算機被破壞。”
大舉進攻的跡象
越來越多的襲擊被追蹤出是來自中國，這表明中國黑客是在進行一場廣泛的間諜活動，他們的目標正在擴大，包括美國公司、政府部門、活動人士組織以及媒 體機構。外交政策專家及計算機安全研究者說，這些情報收集活動不僅是為了盜竊貿易機密，同樣也是試圖控制中國在國內外的公眾形象。
安全專家稱，從2008年開始，中國黑客開始瞄準西方記者。他們的目的是要確定西方記者的線人和聯繫人，並對其進行威嚇，同時預判可能有損中國領導人聲譽的文章。
Mandiant在12月為客戶發佈的情報報告中稱，經過多次調查他們發現，中國黑客竊取了西方媒體機構30多名記者及高管的郵件、聯繫人信息及文件，並且持有一份記者的“短名單”，這些人的帳戶他們會反覆實施攻擊。
儘管計算機安全專家稱，中國在黑客行動方面是最活躍、最堅持不懈的，但中國卻不是唯一使用計算機攻擊實現包括商業偵查在內的各種國家目的的國家。美國、以色列、俄羅斯和伊朗等國家都被懷疑開發並部署網絡武器。
有證據顯示，2012年，美國和以色列發佈了一種複雜的計算機病毒，攻擊並破壞了伊朗主要的核濃縮工廠。但美以兩國從未公開承認。據信，伊朗也採取了報復，對美國的銀行和海外石油公司發動了攻擊。
在2008年俄羅斯與格魯吉亞的戰爭中，俄羅斯也被懷疑使用過計算機攻擊。
下文有關《紐約時報》被攻擊的情況是根據對《紐約時報》高管、記者及安全專家的採訪了解到的，從中或可窺見這種間諜行動之一斑。
中國政府官員曾警告說，《紐約時報》對溫家寶家族財富的調查會“有後果”。隨後，公司高管即於10月24日請管理《紐約時報》網絡的美國電話電報公司(AT&T)注意觀察異常現象。
在那篇文章發表到網上的10月25日，美國電話電報公司通知《紐約時報》，發現了一些與由中國軍方一貫進行的其他攻擊相一致的行為。
《紐約時報》告知了美國聯邦調查局（Federal Bureau of Investigation，簡稱FBI），並主動介紹了這些攻擊的情況。隨後，在最初並未認識到其電腦遭滲透程度的情況下，《紐約時報》與美國電話電報 公司一起追蹤攻擊者，而當時《紐約時報》還嘗試把他們從其系統中清除。
但儘管作出了驅逐這些攻擊者的努力，但在11月7日，《紐約時報》確認他們仍在系統里，於是聘請了Mandiant公司，這是一家應對安全漏洞的專 業公司。從知悉這些攻擊行為時起，《紐約時報》先後與美國電話電報公司和Mandiant合作，監視了攻擊者在其系統中的活動。
這些黑客團隊一直定時開始上班，多半是在北京時間早上8點開始。通常他們會持續工作一個標準工作日，但有時黑客行動會一直持續到午夜。Mandiant稱，這些攻擊會時不時地暫停兩周時間，不過其原因尚不清楚。
研究人員還不清楚這些黑客最初如何闖入了《紐約時報》的系統。他們懷疑這些黑客使用的是一種稱為“魚叉式釣魚攻擊”(spear-phishing attack)的手法，即向員工發送包含惡意鏈接或附件的電子郵件。只要一名員工在這種電子郵件中點擊一下，黑客們就能裝上“遠程訪問工具”。這種軟件可 以竊取海量數據，包括密碼、鍵盤按鍵、屏幕圖像和文檔，在某些情況下，還可以通過電腦的麥克風和攝像頭錄音、錄像，並把這些信息全部傳回攻擊者的網絡服務 器。
《紐約時報》首席安全官邁克爾·希金斯(Michael Higgins)說，“攻擊者不再硬闖我們的防火牆，而是轉向了個人。他們把一串惡意代碼發送到人們的郵箱里，人們打開這些代碼時，就把他們放了進來。”
潛伏 
黑客們一旦闖入，就很難把他們驅逐出去。比如，在2011年美國商會(United States Chamber of Commerce)被黑客闖入後，據商會員工稱，這家貿易團體與FBI緊密合作並封閉了其系統。但數月之後，商會發現連接到互聯網的設備，包括公司公寓中 的一個恆溫器和辦公室內的一台打印機，仍然在與位於中國的電腦進行通訊。
《紐約時報》允許黑客用4個月時間布下一張數字羅網，從而查明黑客所使用的每一道數字後門，部分目的是想防止上述情況發生。《紐約時報》隨後替換了每一台被侵入的電腦，並設置了新的防禦手段，以期把黑客擋在門外。
負責Mandiant公司調查行動的安全顧問尼克·本內特(Nick Bennett)說，“攻擊者們把某家公司當目標是有原因的，即使你把他們踢出去，他們還會努力重新闖入。我們希望，能夠完全掌握他們闖入的程度，以便下次他們想要闖入時，我們可以迅速反應。”
據過去數月里進行的取證分析顯示，黑客在去年9月13日有關溫家的報道臨近完成時侵入了《紐約時報》的電腦系統。他們在用戶電腦上設置了至少三個後 門。隨後，他們以這幾台電腦為數字基地，從那裡出發四處窺探《紐約時報》的電腦系統，時間至少長達兩周，直到他們找到了包含每個《紐約時報》員工用戶名以 及散列密碼，也就是加密密碼的域控制器。
儘管散列運算讓黑客入侵更加困難，但人們依然可以通過使用所謂的“彩虹表”(rainbow table)輕易破解散列密碼，彩虹表是一種現成的散列值的數據庫，它涵蓋了幾乎所有一定長度以內的字母數字組合。一些黑客網站公布了多達500億組的散列值。
調查者發現的證據顯示，攻擊者破解了密碼，利用它們進入了若干台電腦。他們設計了定製軟件，讓他們從《紐約時報》的郵件服務器上搜索以及盜取張大衛和楊金新的電子郵件和文件。
在長達三個月的時間裡，黑客安裝了45種定製惡意軟件。《紐約時報》使用的是賽門鐵克(Symantec)生產的殺毒產品。據Mandiant公司介紹，《紐約時報》只有一次通過賽門鐵克殺毒軟件把一種黑客安裝的軟件識別為惡意軟件，並隔離了該軟件。
賽門鐵克的一名發言人說，鑒於公司政策，公司不能對客戶做出評論。
在《紐約時報》10月25日刊登關於溫氏家族的文章後的一段時間，黑客表現得尤為活躍，特別是在11月6日美國進行總統大選的當晚尤其如此。這引起 了《紐約時報》高級編輯的擔憂，擔心黑客可能會企圖關閉報紙的電子或印刷出版系統。報社高層已經得知了黑客的入侵。不過，黑客的行動顯示，他們的主要攻擊 目標依然是張大衛的日常往來郵件。
《紐約時報》首席信息官馬克·弗朗斯(Marc Frons)說，“他們本來可以重創我們的電腦系統。不過，那不是他們的目的。”
他們似乎是在尋找那些可能給張大衛提供了信息的人的名字。
正如《紐約時報》之前所報道的，張大衛在這篇報道中的研究是以公開信息為基礎的，其中包括從中國工商管理局得到的數千份公司資料。這些資料被用於調查溫氏家族的商業利益，律師和諮詢公司支付少量費用都可拿到這些資料。
艱難的追蹤 
追蹤攻擊的源頭來自哪個團體或國家是相當困難的，因為黑客往往設法隱匿他們的身份和位置。
據Mandiant公司調查員透露，為了運作此次對《紐約時報》的間諜行動，黑客使用了眾多受感染的計算機系統，這些系統註冊於北卡羅來納州、亞利桑那州、威斯康星州和新墨西哥州的己所大學，以及遍布全美的小型企業和互聯網服務提供商。
黑客還不斷更改IP地址。IP地址是一串唯一的數字，用來標識每台連接到互聯網的設備，使其與全球數十億台其他設備相區分，從而確保一台設備發送的消息或其他數據，能正確地傳遞到打算送達的設備上。IP是“互聯網協議”(Internet protocol)的英語縮寫。
用大學的電腦充當代理服務器，並經常改變IP地址，目的是為了掩蓋攻擊行為的真實來源地。調查人員認為，調查來源地就是中國。Mandiant公司 的專家偵測到的攻擊模式，與此前源頭追溯到中國的攻擊行為高度吻合。例如，谷歌曾在2010年遭到攻擊，攻擊者打開了中國人權活動人士的Gmail賬戶， 調查人員發現，攻擊來自中國的兩所高校，其中一所與中國軍方有聯繫。
安全專家表示，通過繞道其他國家的服務器實施入侵，並將攻擊任務外包給熟練的黑客，中國軍方可以有似乎很充分的理由否認嫌疑。
Mandiant公司首席安全官理乍得·貝特利希(Richard Bejtlich)說，“如果孤立地觀察每次攻擊，你不能說，就是中國軍方乾的。”
但如果黑客的手法和攻擊模式相似，這種跡象就說明，黑客是同一批人，或相互關聯。
他說，“你看到同一個團體竊取中國異見人士和藏族活動人士的數據，之後又攻擊一家航天公司，這就能把你引向正確的方向。”
Mandiant一直在追蹤對美國境內和全球各地的組織機構實施間諜行為的約20個團體。該公司調查人員稱，根據所用的惡意軟件、被攻陷的指令控制 中心，以及黑客使用的手法等證據判斷，《紐約時報》是受到了一組中國黑客的襲擊。Mandiant內部將這組黑客稱為“12號APT”。
APT是“高度持續威脅”(Advanced Persistent Threat)的英語縮寫，電腦安全專家和政府官員用這個術語描述有明確目標的攻擊行為。許多人表示，它已經成了中國實施的攻擊的代名詞。美國電話電報公 司和美國聯邦調查局也在追蹤這個黑客組織，它們也發現這個組織來自中國，但它們在內部對該組織有各自的叫法。
Mandiant稱，這個黑客組織一直“十分活躍”，並已經攻入了數百家其他西方國家的機構，包括若干家美國軍方的承包商。
為了擺脫這些黑客，《紐約時報》屏蔽了被侵入的外部電腦、清除了網絡中的所有後門、更改了所有員工的密碼，並在系統外圍增加了安全措施。
目前這些措施似乎產生了作用。不過調查人員和《紐約時報》高管表示，他們預計還會有新的黑客入侵企圖。
“事情還不算完，”Mandiant公司的貝特利希說。“他們攻擊一個受害者攻擊順了手，往往還會回來。這不像是一個數字犯罪案例，入侵者偷了數據，然後就逃之夭夭。需要建立一種內部警戒機制。”

翻譯：梁英、許欣、王童鶴、林蒙克、張薇

Hackers in China Attacked The Times for Last 4 Months

By NICOLE PERLROTH January 31, 2013

SAN FRANCISCO — For the last four months, Chinese hackers have persistently attacked The New York Times, infiltrating its computer systems and getting passwords for its reporters and other employees.
After surreptitiously tracking the intruders to study their movements and help erect better defenses to block them, The Times and computer security experts have expelled the attackers and kept them from breaking back in.

The timing of the attacks coincided with the reporting for a Times investigation, published online on Oct. 25, that found that the relatives of Wen Jiabao, China’s prime minister, had accumulated a fortune worth several billion dollars through business dealings.
Security experts hired by The Times to detect and block the computer attacks gathered digital evidence that Chinese hackers, using methods that some consultants have associated with the Chinese military in the past, breached The Times’s network. They broke into the e-mail accounts of its Shanghai bureau chief, David Barboza, who wrote the reports on Mr. Wen’s relatives, and Jim Yardley, The Times’s South Asia bureau chief in India, who previously worked as bureau chief in Beijing.
“Computer security experts found no evidence that sensitive e-mails or files from the reporting of our articles about the Wen family were accessed, downloaded or copied,” said Jill Abramson, executive editor of The Times.
The hackers tried to cloak the source of the attacks on The Times by first penetrating computers at United States universities and routing the attacks through them, said computer security experts at Mandiant, the company hired by The Times. This matches the subterfuge used in many other attacks that Mandiant has tracked to China.
The attackers first installed malware — malicious software — that enabled them to gain entry to any computer on The Times’s network. The malware was identified by computer security experts as a specific strain associated with computer attacks originating in China. More evidence of the source, experts said, is that the attacks started from the same university computers used by the Chinese military to attack United States military contractors in the past.
Security experts found evidence that the hackers stole the corporate passwords for every Times employee and used those to gain access to the personal computers of 53 employees, most of them outside The Times’s newsroom. Experts found no evidence that the intruders used the passwords to seek information that was not related to the reporting on the Wen family.
No customer data was stolen from The Times, security experts said.
Asked about evidence that indicated the hacking originated in China, and possibly with the military, China’s Ministry of National Defense said, “Chinese laws prohibit any action including hacking that damages Internet security.” It added that “to accuse the Chinese military of launching cyberattacks without solid proof is unprofessional and baseless.”
The attacks appear to be part of a broader computer espionage campaign against American news media companies that have reported on Chinese leaders and corporations.
Last year, Bloomberg News was targeted by Chinese hackers, and some employees’ computers were infected, according to a person with knowledge of the company’s internal investigation, after Bloomberg published an article on June 29 about the wealth accumulated by relatives of Xi Jinping, China’s vice president at the time. Mr. Xi became general secretary of the Communist Party in November and is expected to become president in March. Ty Trippet, a spokesman for Bloomberg, confirmed that hackers had made attempts but said that “no computer systems or computers were compromised.”
Signs of a Campaign
The mounting number of attacks that have been traced back to China suggest that hackers there are behind a far-reaching spying campaign aimed at an expanding set of targets including corporations, government agencies, activist groups and media organizations inside the United States. The intelligence-gathering campaign, foreign policy experts and computer security researchers say, is as much about trying to control China’s public image, domestically and abroad, as it is about stealing trade secrets.
Security experts said that beginning in 2008, Chinese hackers began targeting Western journalists as part of an effort to identify and intimidate their sources and contacts, and to anticipate stories that might damage the reputations of Chinese leaders.
In a December intelligence report for clients, Mandiant said that over the course of several investigations it found evidence that Chinese hackers had stolen e-mails, contacts and files from more than 30 journalists and executives at Western news organizations, and had maintained a “short list” of journalists whose accounts they repeatedly attack.
While computer security experts say China is most active and persistent, it is not alone in using computer attacks for a variety of national purposes, including corporate espionage. The United States, Israel, Russia and Iran, among others, are suspected of developing and deploying cyberweapons.
The United States and Israel have never publicly acknowledged it, but evidence indicates they released a sophisticated computer virus in 2012 that attacked and caused damage at Iran’s main nuclear enrichment plant. Iran is believed to have responded with computer attacks on targets in the United States, including American banks and foreign oil companies.
Russia is suspected of having used computer attacks during its war with Georgia in 2008.
The following account of the attack on The Times — which is based on interviews with Times executives, reporters and security experts — provides a glimpse into one such spy campaign.
After The Times learned of warnings from Chinese government officials that its investigation of the wealth of Mr. Wen’s relatives would “have consequences,” executives on Oct. 24 asked AT&T, which monitors The Times’s computer network, to watch for unusual activity.
On Oct. 25, the day the article was published online, AT&T informed The Times that it had noticed behavior that was consistent with other attacks believed to have been perpetrated by the Chinese military.
The Times notified and voluntarily briefed the Federal Bureau of Investigation on the attacks and then — not initially recognizing the extent of the infiltration of its computers — worked with AT&T to track the attackers even as it tried to eliminate them from its systems.
But on Nov. 7, when it became clear that attackers were still inside its systems despite efforts to expel them, The Times hired Mandiant, which specializes in responding to security breaches. Since learning of the attacks, The Times — first with AT&T and then with Mandiant — has monitored attackers as they have moved around its systems.
Hacker teams regularly began work, for the most part, at 8 a.m. Beijing time. Usually they continued for a standard work day, but sometimes the hacking persisted until midnight. Occasionally, the attacks stopped for two-week periods, Mandiant said, though the reason was not clear.
Investigators still do not know how hackers initially broke into The Times’s systems. They suspect the hackers used a so-called spear-phishing attack, in which they send e-mails to employees that contain malicious links or attachments. All it takes is one click on the e-mail by an employee for hackers to install “remote access tools” — or RATs. Those tools can siphon off oceans of data — passwords, keystrokes, screen images, documents and, in some cases, recordings from computers’ microphones and Web cameras — and send the information back to the attackers’ Web servers.
Michael Higgins, chief security officer at The Times, said: “Attackers no longer go after our firewall. They go after individuals. They send a malicious piece of code to your e-mail account and you’re opening it and letting them in.”
Lying in Wait
Once hackers get in, it can be hard to get them out. In the case of a 2011 breach at the United States Chamber of Commerce, for instance, the trade group worked closely with the F.B.I. to seal its systems, according to chamber employees. But months later, the chamber discovered that Internet-connected devices — a thermostat in one of its corporate apartments and a printer in its offices — were still communicating with computers in China.
In part to prevent that from happening, The Times allowed hackers to spin a digital web for four months to identify every digital back door the hackers used. It then replaced every compromised computer and set up new defenses in hopes of keeping hackers out.
“Attackers target companies for a reason — even if you kick them out, they will try to get back in,” said Nick Bennett, the security consultant who has managed Mandiant’s investigation. “We wanted to make sure we had full grasp of the extent of their access so that the next time they try to come in, we can respond quickly.”
Based on a forensic analysis going back months, it appears the hackers broke into The Times computers on Sept. 13, when the reporting for the Wen articles was nearing completion. They set up at least three back doors into users’ machines that they used as a digital base camp. From there they snooped around The Times’s systems for at least two weeks before they identified the domain controller that contains user names and hashed, or scrambled, passwords for every Times employee.
While hashes make hackers’ break-ins more difficult, hashed passwords can easily be cracked using so-called rainbow tables — readily available databases of hash values for nearly every alphanumeric character combination, up to a certain length. Some hacker Web sites publish as many as 50 billion hash values.
Investigators found evidence that the attackers cracked the passwords and used them to gain access to a number of computers. They created custom software that allowed them to search for and grab Mr. Barboza’s and Mr. Yardley’s e-mails and documents from a Times e-mail server.
Over the course of three months, attackers installed 45 pieces of custom malware. The Times — which uses antivirus products made by Symantec — found only one instance in which Symantec identified an attacker’s software as malicious and quarantined it, according to Mandiant.
A Symantec spokesman said that, as a matter of policy, the company does not comment on its customers.
The attackers were particularly active in the period after the Oct. 25 publication of The Times article about Mr. Wen’s relatives, especially on the evening of the Nov. 6 presidential election. That raised concerns among Times senior editors who had been informed of the attacks that the hackers might try to shut down the newspaper’s electronic or print publishing system. But the attackers’ movements suggested that the primary target remained Mr. Barboza’s e-mail correspondence.
“They could have wreaked havoc on our systems,” said Marc Frons, the Times’s chief information officer. “But that was not what they were after.”
What they appeared to be looking for were the names of people who might have provided information to Mr. Barboza.
Mr. Barboza’s research on the stories, as reported previously in The Times, was based on public records, including thousands of corporate documents through China’s State Administration for Industry and Commerce. Those documents — which are available to lawyers and consulting firms for a nominal fee — were used to trace the business interests of relatives of Mr. Wen.
A Tricky Search
Tracking the source of an attack to one group or country can be difficult because hackers usually try to cloak their identities and whereabouts.
To run their Times spying campaign, the attackers used a number of compromised computer systems registered to universities in North Carolina, Arizona, Wisconsin and New Mexico, as well as smaller companies and Internet service providers across the United States, according to Mandiant’s investigators.
The hackers also continually switched from one I.P. address to another; an I.P. address, for Internet protocol, is a unique number identifying each Internet-connected device from the billions around the globe, so that messages and other information sent by one device are correctly routed to the ones meant to get them.
Using university computers as proxies and switching I.P. addresses were simply efforts to hide the source of the attacks, which investigators say is China. The pattern that Mandiant’s experts detected closely matched the pattern of earlier attacks traced to China. After Google was attacked in 2010 and the Gmail accounts of Chinese human rights activists were opened, for example, investigators were able to trace the source to two educational institutions in China, including one with ties to the Chinese military.
Security experts say that by routing attacks through servers in other countries and outsourcing attacks to skilled hackers, the Chinese military maintains plausible deniability.
“If you look at each attack in isolation, you can’t say, ‘This is the Chinese military,’ ” said Richard Bejtlich, Mandiant’s chief security officer.
But when the techniques and patterns of the hackers are similar, it is a sign that the hackers are the same or affiliated.
“When you see the same group steal data on Chinese dissidents and Tibetan activists, then attack an aerospace company, it starts to push you in the right direction,” he said.
Mandiant has been tracking about 20 groups that are spying on organizations inside the United States and around the globe. Its investigators said that based on the evidence — the malware used, the command and control centers compromised and the hackers’ techniques — The Times was attacked by a group of Chinese hackers that Mandiant refers to internally as “A.P.T. Number 12.”
A.P.T. stands for Advanced Persistent Threat, a term that computer security experts and government officials use to describe a targeted attack and that many say has become synonymous with attacks done by China. AT&T and the F.B.I. have been tracking the same group, which they have also traced to China, but they use their own internal designations.
Mandiant said the group had been “very active” and had broken into hundreds of other Western organizations, including several American military contractors.
To get rid of the hackers, The Times blocked the compromised outside computers, removed every back door into its network, changed every employee password and wrapped additional security around its systems.
For now, that appears to have worked, but investigators and Times executives say they anticipate more efforts by hackers.
“This is not the end of the story,” said Mr. Bejtlich of Mandiant. “Once they take a liking to a victim, they tend to come back. It’s not like a digital crime case where the intruders steal stuff and then they’re gone. This requires an internal vigilance model.”