Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
You are here: Home / Viruses & Malware / Chinese NYT Hackers Are Back
Chinese NYT Hackers Back with New Malware
Chinese NYT Hackers Back with New Malware
By Jennifer LeClaire / NewsFactor Network Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
The Chinese hackers who reportedly attacked the New York Times and the Wall Street Journal are back -- and they're equipped to potentially do more damage than ever. Identified by security firm Mandiant as Unit 61398, the hackers have been silent since the hubbub in January.

But according to FireEye, the groups appear to be mounting fresh assaults that leverage "new and improved" versions of malware. Indeed, security researchers believe there's been a retooling of the massive spying operation that has ties to Communist China.

"The newest campaign uses updated versions of Aumlib and Ixeshe," Ned Moran and Nart Villeneuve of FireEye warned in a blog post. "Aumlib, which for years has been used in targeted attacks, now encodes certain HTTP communications . . . And a new version of Ixeshe, which has been in service since 2009 to attack targets in East Asia, uses new network traffic patterns, possibly to evade traditional network security systems."

Beware New TTPs

Why did the hackers make the upgrade? FireEye researchers said cybercriminals are constantly evolving and adapting their attempts to bypass computer network defenses. But there's no need to evolve if the current malware is getting the dirty work done.

"So when a larger, successful threat actor changes up tactics, the move always piques our attention," the researchers wrote. "Naturally, our first priority is ensuring that we detect the new or altered TTPs [techniques, tactics or procedures]. But we also attempt to figure out why the adversary changed -- what broke? -- so that we can predict if and when they will change again in the future."

FireEye reports that about four months after the New York Times publicized an attack on its network, the attackers updated versions of their Backdoor.APT.Aumlib and Backdoor.APT.Ixeshe malware families. The previous versions of Aumlib had not changed since at least May 2011, they said, and Ixeshe had not evolved since at least December 2011.

"We cannot say for sure whether the attackers were responding to the scrutiny they received in the wake of the episode. But we do know the change was sudden," the researchers wrote. "Akin to turning a battleship, retooling TTPs of large threat actors is formidable. Such a move requires recoding malware, updating infrastructure, and possibly retraining workers on new processes."

Hunting for Infections

We looked to Tom Cross, director of security research at Lancope, for his reaction. He told us it is not surprising that this adversary is continuing to launch attacks.

"State-sponsored attackers have a long-term interest in collecting intelligence from particular targets, and these adversaries are not deterred by being caught. When these kinds of attackers are discovered, they react by adapting their techniques so that they can fly under the radar again," Cross said.

"Organizations that are targeted by these kinds of attacks need to engage in a constant, ongoing process of hunting for infections within their networks," he added. "The fight against this kind of espionage is never over."

Tell Us What You Think


Beverley Montenaro:
Posted: 2013-09-28 @ 3:30am PT
I've uncovered an elaborate network of malware of Chinese origin. The time these people have clearly spent on validating themselves with fake websites, reviews and awards must be huge. It's rather difficult to get anyone to listen to one though. As they are constantly changing things after I make a report it's somewhat of a struggle for one person - still, like Marge Simpson says, "Slow and steady wins the race".

Like Us on FacebookFollow Us on Twitter
© Copyright 2016 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.