Researchers have uncovered an ongoing cyberespionage campaign targeting more than 30 online video game companies over the past four years.
The companies infected by the malware primarily market so-called massively multiplayer online role-playing games. They’re mostly located in South East Asia, but are also in the US, Germany, Japan, China, Russia, Brazil, Peru, and Belarus, according to a release published Thursday by researchers from antivirus provider Kaspersky Lab. The attackers work from computers with Chinese and Korean language configurations. They used their unauthorized access to obtain digital certificates that were later exploited in malware campaigns targeting other industries and political activists.
So far, there’s no evidence that customers of the infected game companies were targeted, although in at least one case, malicious code was accidentally installed on gamers’ computers by one of the infected victim companies. Kaspersky said there was another case of end users being infected by the malware, which is known as “Winnti.” The company didn’t rule out the possibility that players could be hit in the future, potentially as a result of collateral damage.
“Having infected gaming companies that do business in MMORPG, the attackers potentially get access to millions of users,” the researchers wrote. “So far we don’t have data that the attackers stole from common users but we do have at least two incidents when Winnti malware had been planted on an online game update server and [this] malicious executable was spread among large number of the game fans. The samples we have observed seemed not to be malware targeted for the game fans but a malware module which accidentally got into [the] wrong place. But a potential of attackers to misuse such access to infect hundreds of millions of Internet users creates a great risk.”
Digital certificates stolen in some of the heists have been used to sign malware that targeted Tibetan and Uyghur activists. The cryptographic certificates have also been exploited in attacks that have hit companies in the aerospace industry. Attackers frequently abuse stolen certificates to prevent the malware they’re spreading from being detected by various security protections.
In addition to stealing digital certificates, the Winnti gang’s campaign appears to be motivated by the desire to manipulate in-game currency, such as “runes” or “gold,” that can in many cases be converted into real currency. The attackers may also want to use source code stolen from the game companies so it can be deployed in rogue servers offering pirated versions of the games.
Kaspersky has more here.