Chinese NYT hackers back in action

The Chinese hackers behind the infiltration of New York Times computer networks last year appear to active again, and using improved versions of their malware.

An analysis by FireEye Research has identified the first suspected campaigns from the group since it went dark in January, after the Times published an expose detailing attacks on its networks over a four-month period.

The new campaigns use upgraded versions of Aumlib, a piece of malware used in targeted attacks, and Ixeshe, which has been used since 2009 to attack targets in East Asia. Prior to these new versions, Aumlib and Ixeshe had not been upgraded since at least 2011.

The changes to both programs focus on attempting to avoid detection. Because cybercriminals often continue using malware until it stops being effective, it is possible that the updates were motivated by increased scrutiny from the security community in the wake of the Times report.

The original Times expose stated that the attackers had used tactics linked in the past to the Chinese military.

During the attacks, the groups broke into the email accounts of the publication’s Shanghai bureau chief David Barboza, stole the corporate passwords for every Times employee and used those passwords to access the computers of 53 employers.

Due to the timing of the attacks and the fact that Barboza had been targeted, the report speculated that the attacks may have been linked to a Times investigation into the financial dealings of relatives of Chinese Prime Minister Wen Jiabao.

Image via FireEye