Chinese hackers have attacked the New York Times for the last four months, infiltrating its systems to get reporters' and employees' passwords, the paper said.
On Wednesday night, the Times published a story about the attacks, and publisher Arthur Sulzberger Jr. sent a memo to the staff, saying the paper was targeted after it posted an article four months ago investigating Chinese Premier Wen Jiabao's family wealth.
"Because we anticipate that this type of activity is likely to continue, we would like to remind you of some of the steps you can take to help protect our company data, as well as your own personal information on whatever device you use," Sulzberger said in the memo, obtained by TheWrap. "These points are outlined below."
The attacks with the reporting for a Times investigation, published online on Oct. 25, that found that Wen's relatives had accumulated a fortune worth several billion dollars through business dealings.
Using methods employed by China's military in the past, the hackers infiltrated the Times' network and broke into the email of its Shanghai bureau chief, David Barboza, who reported the story.
They also hacked into the email of Jim Yardley, the Times's South Asia bureau chief based in India, who previously served as the top reporter in Beijing.
"As this attack was designed to both interfere with our journalism and undermine our reporting we felt an obligation to be transparent about it," Sulzberger said.
The Times said the attacks appear to be part of a broader campaign by China's leaders to spy on U.S. news media companies.
Last year, Bloomberg News suffered a similar attack after it published an article in June about the the family wealth of Xi Jinping, China's then-vice president.
Here is Sulzberger's full memo to the staff:
From: NYT Company Mail
Sent: Wednesday, January 30, 2013 9:34 PM
To: All Company Employees
Subject: On the Record from Arthur and Mark
This evening we published an article by Nicole Perlroth regarding a cyber-attack on The New York Times. As this attack was designed to both interfere with our journalism and undermine our reporting we felt an obligation to be transparent about it.
The details of the attack, to the degree that we were able to discuss them publicly, are outlined in the story. We did believe it was important, however, to let you know that we have taken all of the appropriate measures across the company to protect our passwords, systems, content and proprietary information.
As the story noted, the attackers appeared to be targeting newsroom communications. While some business-side computers were affected, confidential employee and customer data were not targeted and the systems housing this data were not breached.
During the period after our systems were hacked, our security experts monitored the activity to make sure the intruders were not accessing sensitive or confidential information, and to make sure we understood what they were doing so we could take all of the appropriate measures to expel them and keep them out. You may recall that within the last few weeks you were asked to change your log-in password. That was just one of the many steps that we took to ensure the security of our systems.
Because we anticipate that this type of activity is likely to continue, we would like to remind you of some of the steps you can take to help protect our company data, as well as your own personal information on whatever device you use. These points are outlined below.
In general, we ask that you stay aware and attentive. If you have any concerns or questions regarding security awareness or if you notice anything unusual about how your computer is operating, contact firstname.lastname@example.org.
Arthur and Mark
Work and Personal Computers
· Know and use the privacy settings on your computer and on social networking sites. This is the first step toward defending your information.
· Use strong passwords or a passphrase to ensure complexity. Ideally, you should use different passwords for each account you have. Be sure that if you use one password for everything and it becomes compromised, you change it for every account.
· When possible, use two-step verification for your personal email accounts. Two-step verification adds an additional layer of security using your mobile phone that prevents unauthorized access to your accounts in case someone steals or guesses your password. To find out more about Two-step verification using Gmail, for example, go to the security section of your account settings.
· Keep your personal information personal. Do not e-mail or instant message credit card, account, driver’s license or social security card numbers to anyone.
· Be aware of what you post online. The more information you provide, the easier you make it for someone to impersonate you or to steal your identity.
· Protect your hardware by keeping all important software and applications up to date, i.e., operating system, Web browser, antivirus, anti-spyware and firewall settings.
· Use a password or passphrase on your Smartphone to prevent compromising your personal information and identity.
· Never reply to text messages from people you don’t know.
· Do not text or instant message credit card, account, driver’s license or social security card numbers to anyone.