The Chinese group blamed for an infamous attack on the New York Times last January appears to be on the move again using updated versions of its two favourite Trojan families, researchers at FireEye have reported.
In May, the firm noticed that two important backdoors, APT.Aumlib and APT.Ixeshe had been updated, the first of which had not received modification since May 2011, the latter since December 2011.
As their APT (Advanced Persistent Threat) monikers imply, these are pieces of malware used to compromise targets before further payloads are called. They are specially written to attack specific organisations and are the frontline of what might politely be called state-sponsored malware, in this case of Chinese origin.
It’s all about inference. After the New York Times publically exposed the attacks on its staff in January, the attackers went quiet. That they have now returned with newly-developed versions of the same malware suggests evolution by the same group in order to stay ahead of defences.
“But we do know the change was sudden. Akin to turning a battleship, retooling TTPs of large threat actors is formidable. Such a move requires recoding malware, updating infrastructure, and possibly retraining workers on new processes,” said FireEye researcher, Nart Villeneuve.
Specifically, the new Aumlib had been detected whilst analysing an attack on an unnamed organisation “involved in shaping economic policy,” whilst Ixeshe had been used against Taiwanese targets, he said.
In both cases the changes were technically modest but viewed as significant in the context of cyber-warfare.
“These subtle changes may be enough to circumvent existing IDS signatures designed to detect older variants of the Aumlib family,” he said.
FireEye doesn’t offer much insight into the APT attack group thought to be behind the malware – the so-called APT12 group - although research by Trend Micro and others have cast light on their provenance.
The attacks on the New York Times were certainly a spectacular event in that the newspaper publically accused Chinese hackers with state backing of being behind a series of incursions that started in September 2012.
In a small piece of fallout, Symantec was forced to defend its antivirus software after a report by The New York Times’ consultants Mandiant appeared to suggest that it had not been effective in stopping the APT malware.