After a quiet period, the state-sponsored hacker group blamed for attacks on the New York Times late last year has begun a number of new campaigns that feature updated versions of malware used in attacks going back to 2009.
Researchers at FireEye said the group, identified as APT 12 by forensics company Mandiant which investigated the Times hacks, has been silent since January. But a recent investigation into an attack against an organization that shapes economic policy, revealed that the group was back in business.
“The new campaigns mark the first significant stirrings from the group since it went silent in January in the wake of a detailed expose of the group and its exploits — and a retooling of what security researchers believe is a massive spying operation based in China,” said Ned Moran and Nart Villeneuve of FireEye.
The two malware families spotted in the attacks, Aumlib and Ixeshe, have been enhanced to encode HTTP communication and use new network traffic patterns respectively. The researchers speculate this is an attempt to avoid detection by security systems.
“The updates are significant for both of the longstanding malware families; before this year, Aumlib had not changed since at least May 2011 and Ixeshe had not evolved since at least December 2011,” the researchers said.
The change is noteworthy, the researchers said, because well-financed groups such as this one don’t like to draw attention to themselves.
“We cannot say for sure whether the attackers were responding to the scrutiny they received in the wake of the episode. But we do know the change was sudden. Akin to turning a battleship, retooling TTPs (techniques, tactics, procedures) of large threat actors is formidable,” the report said. “Such a move requires recoding malware, updating infrastructure, and possibly retraining workers on new processes.”
The history on Aumlib is pretty straightforward; the malware was a staple in targeted attacks and had a well-known signature. The updated version, FireEye said, includes a new POST request, and the POST body is encoded unlike previous versions where the request was transmitted in the clear.
“These subtle changes may be enough to circumvent existing IDS signatures designed to detect older variants of the Aumlib family,” FireEye said.
Ixeshe, meanwhile, is older than Aumlib and has been used against East Asian targets. The updated malware, spotted in an attack against a target in Taiwan exhibits network traffic that does not match previous attacks in an attempt to elude existing intrusion detection signatures.
APT 12 was outed in January by an extensive Mandiant report on the attacks against the New York Times, which hired the security company to investigate and clean their systems. The Times attacks began after a report exposing alleged corruption involving prime minister Wen Jiabao. The attackers, working for the Chinese government according to Mandiant, used 45 custom malware samples to infect 53 computers in an attempt to access the computers of the reporter and editor on the Jiabao story.
APT 12 is not the same as the Comment Crew, also known as APT 1; APT 12 is very active and quiet, Mandiant said.
“We see them targeting hundreds of organizations, but don’t attract attention or leave much of a footprint,” Mandiant CISO Richard Bejtlich said in January. Some of these groups act on behalf of the Chinese government, which has targeted journalists in the past in an effort to understand how the country is perceived in the West and perhaps control the sources used by the media.
FireEye, meanwhile, said this is just more of the cat and mouse game between hackers and security.
“Knowing how attackers’ strategy is shifting is crucial to detecting and defending against today’s advanced threats. But knowing the ‘why’ is equally important,” the report said. “That additional degree of understanding can help organizations forecast when and how a threat actor might change their behavior — because if you successfully foil their attacks, they probably will.”