By Joseph Menn
| SAN FRANCISCO, July 31
SAN FRANCISCO, July 31 A Chinese hacking group
tied to the breach of security company RSA two years ago has
targeted a maker of audio-visual conference equipment in a
likely attempt to tap into boardroom and other high-level remote
meetings.
Security researchers at Dell Inc's SecureWorks unit
were able to monitor the computers used by the group to process
communications from machines infected with stealthy software for
stealing data, according to a paper they are releasing today.
Although the researchers could not tell what information was
being extracted, they were able to discover many of the
companies and offices unknowingly transmitting information. The
compromised computers were in five different offices of a global
maker of conferencing equipment, said SecureWorks researchers
Joe Stewart and Don Jackson.
"I think they were looking for the source code," Stewart
told Reuters, because that would help them find flaws they could
use to eavesdrop in further attacks.
"If your final target is this vendor's customers of the
conferencing product, you would want to be able to connect on
their premises."
Stewart declined to identify the manufacturer, but he has
notified both the company and law enforcement. Researchers had
previously found security flaws in high-end conferencing gear
and the new findings suggest they are a prime target.
As a hacking strategy, such a multi-step effort would track
with other major attacks, including the one on RSA, a unit of
EMC Corp.
In that case, the hackers took information that helped them
duplicate the rapidly changing passwords on SecurID tokens used
by defense contractors and others to authenticate users when
they log in remotely. The contractors were the real targets in
that case, researcher said.
Stewart attributed the new round of attacks to a prolific
group based in Beijing that he and others have studied for
years. Stewart's paper with Jackson tracks only one of the three
dozen sophisticated malicious software programs that group
favors.
That one family of code has hundreds of variants and has
been used in at least 64 campaigns, including the penetration of
the audio-visual equipment company, Stewart said. The same
program has been used against government offices and 10
industries, including mining, media and communications.
Of the infections the researchers were able to identify, the
greatest number were in Japan, followed by India, South Korea,
Taiwan and the United States.
Stewart said the Beijing group is probably as big as the
Shanghai-based crew that drew wide attention in February after
security firm Mandiant said it was a specific unit within
China's People's Liberation Army. China disputed the report and
said it does not hack Western companies.
Although characteristics of both the Beijing and Shanghai
groups sometimes show up inside the same compromised company,
the Beijing group tends to focus more on activists, including
those involved with Tibetan issues, Stewart said.
He has cataloged about 275 families of malicious software to
date.