The pro-Assad SEA appears to have been able to attack the domain name registrar for the websites, changing ownership of the sites to "SEA." In the case of the New York Times, the attack appeared to take the website down for a number of hours.
During the attack, Business Insider reached out to a hacker affiliated with the SEA who calls himself "Th3 Pr0." While Th3 Pr0 is usually very prompt in his responses, he took several hours to respond. He apologized for the delay, explaining that he was "busy."
Asked if SEA were involved in the attack and why Twitter — a technology company as opposed to SEA's standard media company — was attacked, he responded:
Yes we are, we attacked Twitter because the suspensions of our accounts for 15 times and we did warned them, NYtimes was hacked as a part of our campaign against the media who keep publishing false/fabricated news about
Th3 Pr0 responded to our email at around 5am Syrian time. When asked how long SEA had been working on the hack, he said that they began around 14-15 hours before he emailed me, which would have been around 9 hours people noticed the attacks.
The group had began planning the attack just a few days ago, according to Th3 Pro. "We started collecting information about Melbourne IT [the companies' domain name registrar] and what the domains that they are hosting it like a 2 days ago," he emailed, adding that just three people were involved in the attack.
It's obviously wise to take all this with a pinch of salt. Th3 Pr0 claims to be an 18-year-old high school student that lives in Syria, but other hacking groups have emailed Business Insider, arguing that Th3 Pr0 is in fact an older man who does not live in Syria. These claims are difficult to verify.
The attack on the New York Times and Twitter may appear to be a step up from previous attacks, which were enabled by phishing for passwords and usually focused on Twitter account — low hanging fruit really. However, as Christopher Mims of Quartz notes, they were probably enabled by a phishing attack on Melbourne IT. A creative use of relatively simple techniques. Melbourne IT told CNET that "the credentials of a Melbourne IT reseller (username and password) were used to access a reseller account on Melbourne IT's systems."
The group still seem to have access to Melbourne IT's blog at least.
It's tempting to denounce the SEA's attack as pointless, but silly as the attacks on Western media outlets might seem, they certainly achieve their objective of gaining worldwide attention.