New York Times hackers use “evolved” malware to breach new systems

Hackers

Criminals behind raids on the computer systems at the New York Times have used updated malware to attack the infrastructure of a leading economic policy think tank.

According to an expert at security firm FireEye, the criminals embarked on a new campaign of hacking using an evolved version of the Aumlib and Ixeshe malware.

Aumlib, which for years has been used in targeted attacks, now encodes certain HTTP communications. FireEye researchers spotted the malware when analysing a recent attempted attack on an - as yet unamed - organisation involved in shaping economic policy.

We cannot say for sure whether the attackers were responding to the scrutiny they received in the wake of the episode. But we do know the change was sudden. Akin to turning a battleship, retooling techniques, tactics, or procedures (TTPs) of large threat actors is formidable.

A new version of Ixeshe, which has been in service since 2009 to attack targets in East Asia, uses new network traffic patterns, possibly to evade traditional network security systems.

The researchers said that the updates are significant for both of the longstanding malware families. Prior to this year, Aumlib had not changed since at least May 2011 and Ixeshe had not evolved since at least December 2011.

Researchers believe the hacking is part of a massive spying operation based in China.

"Cyber criminals are constantly evolving and adapting in their attempts to bypass computer network defences," said Nart Villeneuve, senior threat intelligence researcher at FireEye in a blog post. "But, larger, more successful threat actors tend to evolve at a slower rate."

He said the firm noticed the change in tactics around May. About four months after The New York Times attack, hackers updated versions of their Backdoor.APT.Aumlib and Backdoor.APT.Ixeshe malware families.

The previous versions of Aumlib had not changed since at least May 2011, and Ixeshe had not evolved since at least December 2011.

"We cannot say for sure whether the attackers were responding to the scrutiny they received in the wake of the episode," said Villeneuve.

"But we do know the change was sudden. Akin to turning a battleship, retooling techniques, tactics, or procedures (TTPs) of large threat actors is formidable."

He added that such a move "requires recoding malware, updating infrastructure, and possibly retraining workers on new processes."

s

Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.