Not Playing Nice: Chinese Hacker Gang Has Their 'Game' Face On

Kaspersky said the Chinese hacking group identified as Winnti has been active in a spate of targeted attacks for several years and now specializes in cyberattacks against the online video game industry. The financially motivated cybercriminals appear to be attempting intellectual property theft, infiltrating gaming companies to steal source code for game projects and digital certificates of legitimate software vendors, according to Kaspersky, which issued a report Thursday.

The Winnti hacking group has so far targeted companies in 13 countries, including gaming firms in the U.S. The tight-knit group could have been active since 2007 and is believed to have infected systems in at least 35 companies with its custom malware, Kaspersky said in its report.

[Related: Chinese Group Tied To Massive, Ongoing Cyberattacks In U.S. ]

"It's tempting to assume that advanced persistent threats (APTs) primarily target high-level institutions: government agencies, ministries, the military, political organizations, power stations, chemical plants, critical infrastructure networks and so on," the Kaspersky researchers said in their report. "However, any company with data that can be effectively monetized is at risk from APTs."

The malicious servers under control of the Winnti group began spreading rogue antivirus, according to the report. In 2009 the group changed its tactics, targeting the gaming companies.

"Apparently, the cybercriminals graduated to relatively large-scale penetrations into the corporate networks of gaming companies starting from 2010," the Kaspersky researchers said.

In one instance, Kaspersky said the cybercriminals attempted to impact online gaming processes, possibly to acquire "gold" illegally. The group is also believed to be attempting to modify games slightly in favor of cheats, introducing tweaks to the game experience that are not easily noticeable, the Kaspersky researchers said.

"The attackers are keen for the game to remain popular; otherwise, they would be unable to effectively turn all the time and effort of infecting a gaming company into financial gain," according to the report. "Cybercriminals have affected the processes of the online games from the infected companies and stolen money from them for years, but they have found ways of doing this without attracting attention to themselves."

The report also outlined the group's methods. Like many other targeted attacks, Kaspersky said the group sent spearphishing emails to targeted employees with attached executables, in one case embedding them in a PDF file. Using more than a dozen compromised digital certificates, apparently stolen from other gaming companies, they are attempting to make malware appear to be legitimate software and evade detection.

The hackers used custom malware to first infiltrate company systems and then used PlugX, a popular backdoor Trojan, giving the group remote access. The attackers maintained persistence on systems and then downloaded additional malware to steal data. In any active attacks detected by Kaspersky, the researchers "prevented data transfer to the cybercriminals' server and isolated the infected systems in the company's local network."

PUBLISHED APRIL 11, 2013