THE HACKERS responsible for a prolonged cyber attack on The New York Times have shifted their attention to an unnamed economic policy agency using advanced malware.
Uncovered by Fireeye researchers who warned that the malware is significantly more advanced than that used in the group's previous campaigns, the new hacking tools were found by analysing a recent attack on one of the company's clients. Fireeye said the latest campaign uses updated versions of the malware known as Aumlib and Ixeshe.
The firm found that Aumlib, which for years has been used in targeted attacks, now encodes certain HTTP communications.
"[We] spotted the malware when analysing a recent attempted attack on an organization involved in shaping economic policy," Fireeye said in a blog post. "And a new version of Ixeshe, which has been in service since 2009 to attack targets in East Asia, uses new network traffic patterns, possibly to evade traditional network security systems."
The updates are significant for both of these malware families, as before this year Aumlib had not changed since at least May 2011 and Ixeshe had not evolved since at least December 2011.
"The attackers behind an audacious breach of The New York Times' computer network late last year appear to be mounting fresh assaults that leverage new and improved versions of malware," Fireeye researchers said.
"The new campaigns mark the first significant stirrings from the group since it went silent in January in the wake of a detailed expose of the group and its exploits."
The New York Times reported in January that it had been under cyber attack for almost four months. However, according to a report published on the New York Times website, the newspaper was able to keep the attackers at bay despite persistent cyber attacks on its systems and staff thanks to security firm Mandiant, which helped mitigate the attack.
Mandiant subsequently linked the campaign to a Chinese group, recognising that they used methods that have been associated with the Chinese military.
The attacks were believed to have been carried out in retaliation for a series of articles about former Chinese prime minister Wen Jiabao, however China's Ministry of National Defence issued a statement in response to the accusation that denied any involvement.
"Chinese laws prohibit any action including hacking that damages Internet security," it said. "To accuse the Chinese military of launching cyberattacks without solid proof is unprofessional and baseless."
Fireeye senior malware researcher Ned Moran said that the latest attacks use evolved versions of the longstanding Aumlib and Ixeshe malware programs that have been used by criminals in targeted attacks for several years.
He added that the upgraded tools are designed to help the criminals avoid detection, even from advanced systems designed to detect their previous tools, when hacking into their victim's network.
"The network protocol has been altered. Signatures designed to detect the previous version of these tools may not detect these new network protocols. This may enable the threat actor to operate undetected," said Moran. µ
Sign up for INQbot – a weekly roundup of the best from the INQ