NYT hackers resurface with new arsenal

The hacking group behind attacks on The New York Times have returned -- with a new selection of weapons and a new campaign.

A hacker group that is believed to be behind a four-month campaign against The New York Times has returned with a new bevy of tools at its disposal, according to researchers.

The Chinese advanced persistent threat group, known as APT 12, "persistently" attacked the media outlet for months. The hackers, specializing in the acquisition of sensitive data, went after journalist passwords in an attempt to find out the details of human rights activists. However, the group have also been known to target governmental and military agencies in the past.


The Times believed the attacks were related to an investigation the outlet carried out which found that the Chinese Prime Minister had accumulated "several billion dollars through business dealings."

According to a blog post published by research firm FireEye, after laying low for several months, APT 12 appears to be mounting assaults with new-and-improved malware.

The latest campaign, believed to be part of a "massive spying operation based in China," leverages updated versions of malware Backdoor.APT.Aumlib and Backdoor.APT.Ixeshe.

The new variants were discovered after the security team investigated attacks against an "unidentified organization involved in shaping economic policy."

"We cannot say for sure whether the attackers were responding to the scrutiny they received in the wake of the episode," the report says. "But we do know the change was sudden. Akin to turning a battleship, retooling TTPs of large threat actors is formidable. Such a move requires recoding malware, updating infrastructure, and possibly retraining workers on new processes."

The new version of Aumlib is now able to encode types of HTTP communications. Aumlib has been used for years in targeted attacks and has a well-known signature. The malware now contains a new POST request which is encoded unlike the previous version. It is believed that this small change could allow the malware to circumvent existing IDS signatures designed to detect older variants of the Aumlib malware family.

The latest version of Ixeshe, often used when targeting systems in East Asia, uses new network traffic patterns, which FireEye believes may be an upgrade to avoid traditional network security systems.

Both malware types have not been changed since 2011. Groups that are able to systematically take on networks that require heft behind campaigns -- and therefore are likely to have substantial financial backing -- don't need to draw unnecessary attention, making the evolution of such tools significant.

The researchers note:

"Knowing how attackers' strategy is shifting is crucial to detecting and defending against today’s advanced threats. But knowing the 'why' is equally important. That additional degree of understanding can help organizations forecast when and how a threat actor might change their behavior -- because if you successfully foil their attacks, they probably will."