The attacks might be part of a larger campaign targeting journalists, the Times said, citing a December intelligence report from Mandiant that mentioned APT-style attacks against 30 journalists and executives at Western news outlets.
Mandiant did not immediately respond to a request for more information about the attacks.
According to the Times report, Mandiant investigators determined that hackers used 45 pieces of custom malware in the attacks against the New York Times over three months, but only one of them was detected by the antivirus products from Symantec used by the newspaper on its systems.
Advanced attacks like the one described in the New York Times article "underscore how important it is for companies, countries and consumers to make sure they are using the full capability of security solutions," Symantec said Thursday in a statement sent via email.
"The advanced capabilities in our endpoint offerings, including our unique reputation-based technology and behavior-based blocking, specifically target sophisticated attacks," the company said. "Turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats. We encourage customers to be very aggressive in deploying solutions that offer a combined approach to security. Anti-virus software alone is not enough."
News of this attack comes on the heels of a recent debate among security and antivirus experts regarding the efficiency of desktop antivirus products at detecting new threats that don't have a widespread distribution, like the type of malware used in APT attacks. The discussion was prompted by a study released by security firm Imperva in December, which concluded that newly created threats have an initial antivirus detection rate of under 5 percent.
Even though the methodology used in the study was heavily criticized as being flawed and inaccurate, some experts strongly believe that desktop antivirus products are incapable of detecting the custom malware used today in targeted attacks against organizations.
"From my own experience, within corporate/enterprise networks, desktop antivirus detection typically hovers at 1-2% for the threats that make it through the various network defenses," Gunter Ollmann, the chief technology officer at security consultancy firm IOActive said earlier this month in a blog post. "For newly minted malware that is designed to target corporate victims, the rate is pretty much 0% and can remain that way for hundreds of days after the malware has been released into the wild."
Sign up for CIO Asia eNewsletters.