clock menu more-arrow no yes mobile

Filed under:

Years-long cyber attack on online gaming companies uncovered

A Russian-based computer security company says it's uncovered an international cybercrime group that uses code stolen from online gaming companies to create software that has been used to spy on activists and steal aerospace secrets.

The group may also be funding its cyber espionage by looting the virtual cash from the online games of these companies and selling it for real money.

The Winnti group, named after a backdoor trojan horse program discovered by Symantec, have infected more than 30 companies in the online game industry located in South East Asia and have attacked game publishers in Germany, the U.S., Japan, China, Russia, Brazil, Peru and Belarus, according to Kaspersky Lab.

Kurt Baumgartner, a Boulder, Colo.-based senior security researcher for Kaspersky, said the group was discovered while researching an intrusion in 2011. Researchers have since been able to determine that the group has been operating since 2009 and may be based in China. Its chief goal, he told Polygon, is to steal the digital certificates used by companies to authenticate that their software is not malicious. Once stolen, members of Winnti either sell or trade those certificates to other "threat actors" who then use the certificate to get their malicious software onto target computers.

Among the companies attacked by the group are South Korean game developers Nexon and Neowiz and U.S.-based Trion Worlds, according to a report issued today. Neither Neowiz nor Trion responded to requests for comment.

But Nexon spokesman Mike Crouch told Polygon that the company takes security very seriously.

"Like all companies operating live games, it is not uncommon for outside parties to try to illegitimately gain access to the operation's structure at some level," he said. "We take security very seriously and are strongly committed to protecting the privacy and security of our games and anyone who plays them. We have made significant investments in our security infrastructure and are continually upgrading our security technologies, policies, protocols and procedures to protect our customers and our games against the threats that increasingly arise in today's online world."

Baumgartner said he doesn't believe the group is targeting individuals. But those stolen certificates have been linked to attempts to spy on Tibetan and Uyghur activists last month, according to Baumgartner. He said the certificates were also being used to target people in the aerospace industry as part of a corporate espionage attack.

"It seems like the goal of the attackers is to focus on the gaming companies, steal their digital certificates and maintain their stealth," Baumgartner said. "We haven't seen them going after the end user. Instead they are harvesting these digital certificates."

Kaspersky is continuing to investigate the group to determine how widespread the forged certificates are and help alert both companies being attacked and those having their certificates stolen.

The group may also be funding its cyber espionage by looting the virtual cash from the online games of these companies and selling it for real money.

Baumgartner said the security lab isn't sure why this group has decided to attack online gaming companies.

"We can speculate," he said. "It's a familiar environment to work and they have reproduceable and effective means of attacking these organizations. Another possibility is that they are effective at monetizing their scheme" by accumulating in-game currency.

Another possibility is that these companies are being targeted because they often have to create digital certificates for many different parts of the world, so it becomes an easy one-stop shop for the cyber thieves, Baumgartner said.

"We're not entirely certain why they're focused on gaming, but it's definitely a pattern," he said.

While Baumgartner doesn't believe the attacks are the by-product of lax security, he does think that online game companies need to pay closer attention to their security now that this threat has been identified.

"The Winnti hacking group is not the first and not the last," according to the Kaspersky report. "By making our research paper available to the public, we hope that it will not only spread the knowledge among security researchers but also will help system administrators and security officials in all type of organizations around the world to learn the tactics and tools of the perpetrators. We hope that our shared knowledge will help to better protect IT infrastructure. We also hope that our message will reach Chinese law enforcement agencies. If the current research is not enough to initiate criminal investigation, we hope that it will be enough at least to make some checks and probably prevent other malicious activity from reaching out foreign countries and business within China."

Sign up for the newsletter Sign up for Patch Notes

A weekly roundup of the best things from Polygon