It all started with the publishing of the results of a Times investigation about the way that relatives of the current Chinese Premier Wen Jiabao amassed billions of dollars via business deals.
The research for the piece, written by NYT's Shanghai bureau chief Davis Barboza and published online on Oct. 25, triggered a series of attacks that were apparently coming from the systems of a number of higher education institutions in the U.S. - a smokescreen attempt typical for Chinese hackers.
The NYT first asked AT&T's help to defend its networks and expel the intruders, but ultimately had to turn to Mandiant for a definite resolution of the intrusion and defensive strategies and techniques that would keep the attackers out in the future.
According to Mandiant's investigation, the hackers probably initiated the attack with spear phishing emails that resulted in backdoor and RAT malware installed on a great number of computers within the NYT network and outside of it.
The attacks started on Sept. 13, and the installed backdoors allowed the hackers to move through the The Times’s systems in search for things they could use. A few weeks later they hit the jackpot when the identified and compromised the domain controller that contained user names and hashed passwords for Times employees.
Armed with this knowledge, they cracked the passwords and used them to access and compromise the employees computers and email accounts. During the four months that the attack was unfolding, the hackers deployed mostly custom made malware, and the Symantec AV software used by the NYT managed to detect and block only one out of the they 45 used.
Ultimately, the attackers didn't do anything to take down the NYT's networks and systems, nor were they after customer or financial data. They wanted to discover who has been talking to Barboza and sharing information about the shady business deals detailed in the piece.
"Mr. Barboza’s research on the stories, as reported previously in The Times, was based on public records, including thousands of corporate documents through China’s State Administration for Industry and Commerce. Those documents — which are available to lawyers and consulting firms for a nominal fee — were used to trace the business interests of relatives of Mr. Wen," shared NYT's Nicole Perlroth.
Mandiant's researchers believe that they identified the source of the attack correctly. The custom malware, the hiding of the real source by routing the attacks through educational institutions' compromised computer systems, the fact that the hackers began regularly began working every day at 8 a.m. Beijing time and mostly finished by the end of the standard work day, the targets - everything seems to point to hackers from China even though it can't be conclusively proved.
China’s Ministry of National Defense, of course, rejected the accusations that the nation's military might be behind the attacks.
In the meantime, the news of the attack - even though the piece has been partially censored - has been spreading and is being commented on Twitter by critics of the Chinese government.