The New York Times' announcement in January that Chinese hackers had compromised its computers, stolen employee passwords, and wormed around its network for four months made for a chilling read to those of us concerned about press safety and digital security. But the paper's latest installment, based on a report released by computer security firm Mandiant, lays out even more spectacular and serious possibilities that China's military has stolen information from companies "involved in the critical infrastructure of the United States -- its electrical power grid, gas lines and waterworks."
An alarmed American public may wonder whether it's time to push the panic button, but in many respects, this is old news to those in the digital security industry. Chinese hackers have been tracked and traced before. Experts with a dismal view assume everything's hacked, until proven otherwise.
"There's a saying in the security industry," says Eva Galperin of the Electronic Frontier Foundation, an Internet advocacy group. "Everybody is 'owned' all the time. These attacks are constant."
Mandiant's report is the result of years spent tracking a Shanghai-based hacking team dubbed the "Comment Crew," also known as APT1. The company's investigators even managed to pinpoint the hackers' work space: a Shanghai building owned by Unit 61398 of the People's Liberation Army. Mandiant says it has observed some 140 attacks by Comment Crew since 2006.
While the corporate and governmental attacks described by Mandiant and the attacks against New York Times reporters are separate cases executed by different hacking groups, the digital trail leads back to the same location: China.
Galperin has the solution. "If organizations are concerned about security, and they want to know what the one thing is that they can do -- they can teach their users not to click on these links or open these attachments," she says.
The problem is, Chinese hackers are getting dangerously good at tricking users into clicking on what are known as "phishing emails" -- messages with links or attachments that seem innocuous, but actually dump spyware on recipients' computers. One of the secrets? Language skills. Over the course of my five years in China, hackers targeting foreign correspondents became more advanced, upgrading from early phishing attempts using haphazard "Chinglish" to more convincing and polished English.