If article is correct, Lulz exploited an XSS vulnerability they found on a server running an old version of the newspaper web site as the initial penetration point. They then attacked the content management platform from the compromised server. Nothing innovative, illuminating or new about the attack methods. Just another case of poor inventory/patch management, lax log/monitoring practices.