The Chinese hackers who reportedly attacked the New York Times and the Wall Street Journal are back -- and they're equipped to potentially do more damage than ever. Identified by security firm Mandiant as Unit 61398, the hackers have been silent since the hubbub in January.
But according to FireEye, the groups appear to be mounting fresh assaults that leverage "new and improved" versions of malware. Indeed, security researchers believe there's been a retooling of the massive spying operation that has ties to Communist China.
"The newest campaign uses updated versions of Aumlib and Ixeshe," Ned Moran and Nart Villeneuve of FireEye warned in a blog post. "Aumlib, which for years has been used in targeted attacks, now encodes certain HTTP communications . . . And a new version of Ixeshe, which has been in service since 2009 to attack targets in East Asia, uses new network traffic patterns, possibly to evade traditional network security systems."
Beware New TTPs
Why did the hackers make the upgrade? FireEye researchers said cybercriminals are constantly evolving and adapting their attempts to bypass computer network defenses. But there's no need to evolve if the current malware is getting the dirty work done.
"So when a larger, successful threat actor changes up tactics, the move always piques our attention," the researchers wrote. "Naturally, our first priority is ensuring that we detect the new or altered TTPs [techniques, tactics or procedures]. But we also attempt to figure out why the adversary changed -- what broke? -- so that we can predict if and when they will change again in the future."
FireEye reports that about four months after the New York Times publicized an attack on its network, the attackers updated versions of their Backdoor.APT.Aumlib and Backdoor.APT.Ixeshe malware families. The previous versions of Aumlib had not changed since at least May 2011, they said, and Ixeshe had not evolved since at least December 2011.
"We cannot say for sure whether the attackers were responding to the scrutiny they received in the wake of the episode. But we do know the change was sudden," the researchers wrote. "Akin to turning a battleship, retooling TTPs of large threat actors is formidable. Such a move requires recoding malware, updating infrastructure, and possibly retraining workers on new processes."
Hunting for Infections
We looked to Tom Cross, director of security research at Lancope, for his reaction. He told us it is not surprising that this adversary is continuing to launch attacks.
"State-sponsored attackers have a long-term interest in collecting intelligence from particular targets, and these adversaries are not deterred by being caught. When these kinds of attackers are discovered, they react by adapting their techniques so that they can fly under the radar again," Cross said.
"Organizations that are targeted by these kinds of attacks need to engage in a constant, ongoing process of hunting for infections within their networks," he added. "The fight against this kind of espionage is never over."
Posted: 2013-09-28 @ 3:30am PT
I've uncovered an elaborate network of malware of Chinese origin. The time these people have clearly spent on validating themselves with fake websites, reviews and awards must be huge. It's rather difficult to get anyone to listen to one though. As they are constantly changing things after I make a report it's somewhat of a struggle for one person - still, like Marge Simpson says, "Slow and steady wins the race".