NYT hackers resurface with new arsenal

NYT hackers resurface with new arsenal

Summary: The hacking group behind attacks on The New York Times have returned -- with a new selection of weapons and a new campaign.

TOPICS: Security

A hacker group that is believed to be behind a four-month campaign against The New York Times has returned with a new bevy of tools at its disposal, according to researchers.

The Chinese advanced persistent threat group, known as APT 12, "persistently" attacked the media outlet for months. The hackers, specializing in the acquisition of sensitive data, went after journalist passwords in an attempt to find out the details of human rights activists. However, the group have also been known to target governmental and military agencies in the past.


The Times believed the attacks were related to an investigation the outlet carried out which found that the Chinese Prime Minister had accumulated "several billion dollars through business dealings."

According to a blog post published by research firm FireEye, after laying low for several months, APT 12 appears to be mounting assaults with new-and-improved malware.

The latest campaign, believed to be part of a "massive spying operation based in China," leverages updated versions of malware Backdoor.APT.Aumlib and Backdoor.APT.Ixeshe.

The new variants were discovered after the security team investigated attacks against an "unidentified organization involved in shaping economic policy."

"We cannot say for sure whether the attackers were responding to the scrutiny they received in the wake of the episode," the report says. "But we do know the change was sudden. Akin to turning a battleship, retooling TTPs of large threat actors is formidable. Such a move requires recoding malware, updating infrastructure, and possibly retraining workers on new processes."

The new version of Aumlib is now able to encode types of HTTP communications. Aumlib has been used for years in targeted attacks and has a well-known signature. The malware now contains a new POST request which is encoded unlike the previous version. It is believed that this small change could allow the malware to circumvent existing IDS signatures designed to detect older variants of the Aumlib malware family.

The latest version of Ixeshe, often used when targeting systems in East Asia, uses new network traffic patterns, which FireEye believes may be an upgrade to avoid traditional network security systems.

Both malware types have not been changed since 2011. Groups that are able to systematically take on networks that require heft behind campaigns -- and therefore are likely to have substantial financial backing -- don't need to draw unnecessary attention, making the evolution of such tools significant.

The researchers note:

"Knowing how attackers' strategy is shifting is crucial to detecting and defending against today’s advanced threats. But knowing the 'why' is equally important. That additional degree of understanding can help organizations forecast when and how a threat actor might change their behavior -- because if you successfully foil their attacks, they probably will."

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • It's just as important...

    It's just as important for us to best China in this cyber war as it is to best them in our present trade war. The sad truth is that in both cases the American citizen is their best ally. Whether it's because of a lack of IT savvy that lets them in the back door of our networks, or an almost suicidal obsession with cheap, crappy goods, we are facilitating China's dominance!
  • We need to hit them where it hurts

    The ChiComs seem to believe that anything they can break into is fair game. I suggest that the US Military and the NSA reciprocate by breaking into computer systems in their country, and provide the world insight into just what kinds of thievery and criminality these sponsoring communist party officials are involved in.