FireEye reports that in January, the gang accused of attacking the New York Times for four months at the end of 2012 and start of 2013 went quiet. Now, it says, the same gang appears "to be mounting fresh assaults that leverage new and improved versions of malware."
It was spotted while FireEye was analyzing a recent attempted attack on an organization involved in shaping economic policy. This newest campaign, says FireEye, uses updated versions of Aumlib and Ixeshe.
"The updates are significant for both of the longstanding malware families", it says; "before this year, Aumlib had not changed since at least May 2011, and Ixeshe had not evolved since at least December 2011." They were discovered around four months after the NYT broke news of the campaign against itself.
"We cannot say for sure whether the attackers were responding to the scrutiny they received in the wake of the episode", says FireEye. "But we do know the change was sudden. Akin to turning a battleship, retooling TTPs of large threat actors is formidable. Such a move requires recoding malware, updating infrastructure, and possibly retraining workers on new processes."
If FireEye is right in attributing the retooled malware to the Chinese gang that Mandiant identifies as APT 12, then it demonstrates two things: firstly the gang has not gone away; and secondly it has the resources necessary to maintain the effectiveness of major malware tools.
Meanwhile, in separate news, on 2 August FireEye filed its intention with the Securities and Exchange Commission to go public in a $175 million IPO. FireEye has nearly 1000 employees, and its revenue grew from $11.8 million in 2010 to $83.1 million last year. When the company hired former McAfee president Dave DeWalt as CEO in November 2012, he commented, “The company is getting ready for an IPO sometime in 2013. It might be sooner, it might be later.”