What they appeared to be looking for were the names of people who might have provided information to Barboza.
Barboza's research on the stories, as reported previously in The Times, was based on public records, including thousands of corporate documents through China's State Administration for Industry and Commerce. Those documents — which are available to lawyers and consulting firms for a nominal fee — were used to trace the business interests of relatives of Wen.
A tricky search
Tracking the source of an attack to one group or country can be difficult because hackers usually try to cloak their identities and whereabouts.
To run their Times spying campaign, the attackers used a number of compromised computer systems registered to universities in North Carolina, Arizona, Wisconsin and New Mexico, as well as smaller companies and internet service providers across the United States, according to Mandiant's investigators.
The hackers also continually switched from one IP address to another; an IP address, for internet protocol, is a unique number identifying each internet-connected device from the billions around the globe, so that messages and other information sent by one device are correctly routed to the ones meant to get them.
Using university computers as proxies and switching IP addresses were simply efforts to hide the source of the attacks, which investigators say is China. The pattern that Mandiant's experts detected closely matched the pattern of earlier attacks traced to China. After Google was attacked in 2010 and the Gmail accounts of Chinese human rights activists were opened, for example, investigators were able to trace the source to two educational institutions in China, including one with ties to the Chinese military.
Security experts say that by routing attacks through servers in other countries and outsourcing attacks to skilled hackers, the Chinese military maintains plausible deniability.
"If you look at each attack in isolation, you can't say, 'This is the Chinese military,"' said Richard Bejtlich, Mandiant's chief security officer.
But when the techniques and patterns of the hackers are similar, it is a sign that the hackers are the same or affiliated.
"When you see the same group steal data on Chinese dissidents and Tibetan activists, then attack an aerospace company, it starts to push you in the right direction," he said.
Mandiant has been tracking about 20 groups that are spying on organisations inside the United States and around the globe. Its investigators said that based on the evidence — the malware used, the command and control centers compromised and the hackers' techniques — The Times was attacked by a group of Chinese hackers that Mandiant refers to internally as "APT Number 12".
Sign up for CIO Asia eNewsletters.