In part to prevent that from happening, The Times allowed hackers to spin a digital web for four months to identify every digital back door the hackers used. It then replaced every compromised computer and set up new defences in hopes of keeping hackers out.
"Attackers target companies for a reason — even if you kick them out, they will try to get back in," said Nick Bennett, the security consultant who has managed Mandiant's investigation. "We wanted to make sure we had full grasp of the extent of their access so that the next time they try to come in, we can respond quickly."
Based on a forensic analysis going back months, it appears the hackers broke into The Times computers on September 13, when the reporting for the Wen articles was nearing completion. They set up at least three back doors into users' machines that they used as a digital base camp. From there they snooped around The Times' systems for at least two weeks before they identified the domain controller that contains user names and hashed, or scrambled, passwords for every Times employee.
While hashes make hackers' break-ins more difficult, hashed passwords can easily be cracked using so-called rainbow tables — readily available databases of hash values for nearly every alphanumeric character combination, up to a certain length. Some hacker websites publish as many as 50 billion hash values.
Investigators found evidence that the attackers cracked the passwords and used them to gain access to a number of computers. They created custom software that allowed them to search for and grab Barboza's and Yardley's emails and documents from a Times email server.
Over the course of three months, attackers installed 45 pieces of custom malware. The Times — which uses antivirus products made by Symantec — found only one instance in which Symantec identified an attacker's software as malicious and quarantined it, according to Mandiant.
A Symantec spokesman said that, as a matter of policy, the company does not comment on its customers.
The attackers were particularly active in the period after the October 25 publication of The Times article about Wen's relatives, especially on the evening of the November 6 presidential election. That raised concerns among Times senior editors who had been informed of the attacks that the hackers might try to shut down the newspaper's electronic or print publishing system. But the attackers' movements suggested that the primary target remained Barboza's email correspondence.
"They could have wreaked havoc on our systems," said Marc Frons, The Times' chief information officer. "But that was not what they were after."
Sign up for CIO Asia eNewsletters.