APT 12, the attackers behind the breach of the New York Times' computer network in late 2012, have resurfaced.
In January this year, the New York Times reported that hackers from China had been lurking on the paper's network for a minimum of four months, exfiltrating passwords of all employees as a means of identifying sources and gleaning other intelligence on articles about the family of China's prime minister.
New campaigns by APT12 are employing new and improved versions of malware, and appear to be targeting an organisation that "shapes economic policy", and several entities in Taiwan.
According to FireEye's blog, the fresh attacks mark the first time the group has reared its head since January, when it went silent following a detailed expos'e of its exploits, and a "retooling" of what security practitioners say is an enormous spying operation located in China.
These recent attacks are employing updated versions of Aumlib and Ixeshe that have been enhanced to encode HTTP communication and use new network traffic patterns respectively.
The enhancements, according to FireEye researchers, are an attempt to avoid detection by security measures, and are significant, because Aumlib has not been altered in any way since May 2011 and Ixeshe since December 2011.
According to the company, although cyber crooks are constantly coming up with new ways to bypass security defences, the larger and more successful threat actors evolve more slowly. As long as the criminals are getting what they want, they don't need to reinvent the wheel.
"Attackers do not change their approach unless an external force or environmental shift compels them to," says FireEye.
This is why changes to a successful threat actor always attract attention. FireEye says the first priority is detecting the new or altered trusted third parties, but it is also important to understand why the attackers changed.
FireEye concludes it is this "additional degree of understanding" that can be of use when forecasting when and how a threat actor might change its behaviour, something extremely likely should an attack be foiled.
Share
