New York Times attackers update tools and change tactics

Security company FireEye claims NYT attackers have returned after an eight-month silence

The attackers responsible for the breach of the New York Times newspaper's computer systems late last year - and a number of other media organisations - are mounting fresh attacks using new malware.

That is the claim of computer security services company FireEye. The new attacks are the first from the group, believed to be based in China, since January, when it was exposed in a detailed report.

According to FireEye, the group is using updated versions of cracking tools Aumlib and Ixeshe.

"Aumlib, which for years has been used in targeted attacks, now encodes certain HTTP communications. FireEye researchers spotted the malware when analyzing a recent attempted attack on an organization involved in shaping economic policy," wrote FireEye researcher Nart Villeneuve.

He added: "A new version of Ixeshe, which has been in service since 2009 to attack targets in East Asia, uses new network traffic patterns, possibly to evade traditional network security systems."

Villeneuve says that the change in tactics is significant because attackers rarely change their tools and approaches - unless forced to do so.

"The previous versions of Aumlib had not changed since at least May 2011, and Ixeshe had not evolved since at least December 2011," wrote Villeneuve.

"We cannot say for sure whether the attackers were responding to the scrutiny they received in the wake of the episode. But we do know the change was sudden. Akin to turning a battleship, retooling TTPs of large threat actors is formidable. Such a move requires recoding malware, updating infrastructure, and possibly retraining workers on new processes," he continued.

He concluded: "Based on our observations, the most successful threat actors evolve slowly and deliberately. So when they do change, pay close attention.

"Knowing how attackers' strategy is shifting is crucial to detecting and defending against today's advanced threats. But knowing the "why" is equally important. That additional degree of understanding can help organizations forecast when and how a threat actor might change their behaviour - because if you successfully foil their attacks, they probably will."