Hackers, thought to be Chinese, return with updated infrastructure as they try to avoid detection
The alleged hackers behind the much-publicised hit on the New York Times have been spotted using more sophisticated malware to ensnare more targets.
FireEye said the attackers, whom some say the Chinese government sponsored, had hit an unnamed economic policy organisation. This is the first major move from the hacking group since the attacks on the New York Times in January.
Since May, they have been using updated versions of the Aumlib and Ixeshe malware, using more encoding of command and control communications and running over new network traffic patterns to cover their tracks.
Such subtle changes may be enough to avoid intrusion detection systems looking out for older versions of the malware
“The updates are significant for both of the longstanding malware families; before this year, Aumlib had not changed since at least May 2011, and Ixeshe had not evolved since at least December 2011,” FireEye researchers Ned Moran and Nart Villeneuve said in a blog post.
“We cannot say for sure whether the attackers were responding to the scrutiny they received in the wake of the episode.
“But we do know the change was sudden. Akin to turning a battleship, retooling TTPs [techniques, tactics, or procedures] of large threat actors is formidable. Such a move requires recoding malware, updating infrastructure, and possibly retraining workers on new processes.”
It is not rare for hacking groups to retool after public exposure. In May, it was claimed the Unit 61398 group, based out of Shanghai and allegedly sponsored by the Chinese government, had returned to attack fresh US targets. It is not believed that same group, also known as the Comment Crew, was responsible for the attack on the New York Times.
What do you know about Internet security? Find out with our quiz!