Joseph Menn
Reuters
August 1, 2013
A Chinese hacking group tied to the breach of security company RSA two years ago has targeted a maker of audio-visual conference equipment in a likely attempt to tap into boardroom and other high-level remote meetings.
Security researchers at Dell Inc’s (DELL.O) SecureWorks unit were able to monitor the computers used by the group to process communications from machines infected with stealthy software for stealing data, according to a paper they are releasing today.
Although the researchers could not tell what information was being extracted, they were able to discover many of the companies and offices unknowingly transmitting information. The compromised computers were in five different offices of a global maker of conferencing equipment, said SecureWorks researchers Joe Stewart and Don Jackson.
“I think they were looking for the source code,” Stewart told Reuters, because that would help them find flaws they could use to eavesdrop in further attacks.
“If your final target is this vendor’s customers of the conferencing product, you would want to be able to connect on their premises.”
Stewart declined to identify the manufacturer, but he has notified both the company and law enforcement. Researchers had previously found security flaws in high-end conferencing gear and the new findings suggest they are a prime target.
As a hacking strategy, such a multi-step effort would track with other major attacks, including the one on RSA, a unit of EMC Corp (EMC.N).
In that case, the hackers took information that helped them duplicate the rapidly changing passwords on SecurID tokens used by defense contractors and others to authenticate users when they log in remotely. The contractors were the real targets in that case, researcher said.
Stewart attributed the new round of attacks to a prolific group based in Beijing that he and others have studied for years. Stewart’s paper with Jackson tracks only one of the three dozen sophisticated malicious software programs that group favors.
That one family of code has hundreds of variants and has been used in at least 64 campaigns, including the penetration of the audio-visual equipment company, Stewart said. The same program has been used against government offices and 10 industries, including mining, media and communications.
Of the infections the researchers were able to identify, the greatest number were in Japan, followed by India, South Korea, Taiwan and the United States.
Stewart said the Beijing group is probably as big as the Shanghai-based crew that drew wide attention in February after security firm Mandiant said it was a specific unit within China’s People’s Liberation Army. China disputed the report and said it does not hack Western companies.
Although characteristics of both the Beijing and Shanghai groups sometimes show up inside the same compromised company, the Beijing group tends to focus more on activists, including those involved with Tibetan issues, Stewart said.
He has cataloged about 275 families of malicious software to date.