Who or what is APT-12—and why should Western companies be worried?
On Wednesday night, The New York Times announced it had been the target of attacks from hackers in China for the past four months. The attacks followed an investigation by Times reporter David Barboza into the personal wealth of Chinese Premier Wen Jiabao. Times officials said the Chinese government had warned that the piece on Wen’s relatives would “have consequences,” which triggered the newspaper’s executives to ask AT&T to watch their network for unusual activity.
The hackers were able to steal the corporate passwords of every Times employee, as well as break into the personal computers of 53 employees.
In an interview Thursday, an executive with the computer-security company the Times hired to stop the attack says the breach reflects an alarming difference between Western and Chinese hackers.
Richard Bejtlich, chief security officer of Alexandria, Va.-based Mandiant, says the firm has identified the group internally as APT-12 (APT stands for Advanced Persistent Threat). “The very big picture is the Chinese government conducts state activities that are not the same as the West,” he tells The Daily Beast. “They’re going after things we don’t.”
In the West, he explains, attacks are aimed at military facilities and intelligence communities. But Chinese hackers go after civilian targets, such as media organizations, banks, defense contractors, and law firms (if a particular company is too difficult to break into, Bejtlich says, “they go to [their] law firm or a supplier” for information). One reason for this difference in perspective: in China, these groups are state-owned, unlike in the West.
While the Times says investigators still don’t know how the hackers initially broke in, it suspects it was a “spear phishing” attack, which means emails with malicious links or attachments were sent to employees. Once inside the system, the tools can be used to steal tons of data and capture passwords, keystrokes, screen images, documents, and, in some cases, recordings from computers’ microphones and Web cameras. Some consultants told the Times that the methods used in the attack have been associated with the Chinese military in the past.
Executive Editor Jill Abramson has said there was “no evidence that sensitive emails or files from the reporting of our articles about the Wen family were accessed, downloaded, or copied.”
Bejtlich says any company that does business with China may find itself on the receiving end of this kind of attack.
But who are the members of APT-12? Bejtlich says it’s hard to say, but there are four communities from where they might hail: China’s uniformed military, contractors, members of a state militia, or possibly “patriotic hackers.” Patriotic hackers, as the name implies, are people who wage cyberwarfare in the name of a country. While the U.S. has patriotic hackers as well, those who work independent of the military, no matter their motivation, are prosecuted; in China, as long as they don’t attack the Chinese government, they’re treated like “rock stars,” Bejtlich says.
What’s impressive about APT-12 and other sophisticated hacking groups is not their ability to gain entry into systems, Bejtlich says, but their ability to get in without being detected. “The group that did this will [try to] stay stealthy. They were found not because they tripped up, but because extra vigilance was given.” On November 7, unable to rid their system of the attackers after a week and half of trying, the Times hired Mandiant to block the attacks and monitor the hackers’ activity.
On Thursday The Wall Street Journal also announced that it had been targeted by Chinese hackers, which fits with the Times’s report that the attack appears to “be part of a broader computer espionage campaign against American news media companies that have reported on Chinese leaders and corporations.” Bejtlich says any company that does business with China may find itself on the receiving end of this kind of attack.
Bejtlich told the Times, “This is not the end of the story.” “Once they take a liking to a victim,” he warned, “they tend to come back.”
But he also applauded the tactic of going public in the wake of an attack—a relatively rare move for companies (speaking at the Kaspersky Lab Cyber Security Summit in New York this week, Eddie Schwartz, chief information security officer at RSA, an American computer and network security company, estimates that only 20 percent of cyberattacks are made public). “It’s a good strategy to come clean,” Bejtlich says. “The Times may [experience] additional attempts, but [publishing the report] serves as a deterrent.”