Gaming Company Certificates Stolen and Used to Attack Activists, Others

A rash of breaches at companies that develop online videogames has resulted in digital certificates being stolen from the companies and used in attacks targeting other industries and political activists.
Image may contain Diagram Map Plot and Atlas
Map showing the locations of game developers whose digital certificates were commandeered by hackers to attack other targets.Courtesy of Kaspersky Lab

A rash of breaches at companies that develop online videogames has resulted in digital certificates being stolen from the companies and used in attacks targeting other industries and political activists.

At least 35 gaming developers involved in the MMORPG field (Massive Multi-Player Online Role Playing Games) have been hacked in the last year-and-a-half by the so-called Winnti group, with one of the primary goals being to steal their digital certificates to use in other attacks, according to researchers at Kaspersky Lab. The attackers are also interested in mapping the network architectures -- particularly the production servers -- and stealing source code from the gaming developers, likely so that they can uncover vulnerabilities that would allow them to artificially propagate digital currency used in the games and convert it to real-world cash, the researchers say.

"Right now we don't have full confirmation that the attackers abused games to generate fake currencies, as we didn't have full access to the gaming servers that were compromised," the researchers write in a report about their investigation. But they say that at least one gaming company revealed to them that the attackers had injected malicious modules into a process running on their game servers with the aim of acquiring "gaming 'gold'."

With regard to the digital certificates, these have been used to sign malware in hacks that have targeted companies in the aerospace industry, as well as a company that operates the largest social network in South Korea called CyWorld, and Tibetan and Uyghur activists.

The attack against CyWorld's parent company, SK Communications, used a Trojan horse that had been signed with a compromised digital certificate belonging to a gaming company called YNK Japan Inc. The digital certificate helped the hackers steal credentials for more than 35 million accounts on the social networking site.

Digital certificates from YNK and from MGAME corporation, another gaming company, were also used to sign malware that targeted Tibetan and Uyghur activists.

It's not known if the same hackers who stole the certificates were also responsible for the attacks against the aerospace industry and the activists, or if they simply supplied the certificates to other groups who performed those hacks.

The gaming companies whose certificates were stolen are based primarily in Southeast Asia, but they also include two companies in the U.S.

Partial list of companies whose digital certificates were compromised.

Courtesy of Kaspersky Lab

As for who is behind the attacks, the researchers say only that they found Chinese language in some of the malware -- indicating the attackers are likely Chinese speakers -- and the attacks also used IP addresses based in China.

The campaign against gaming companies was discovered in 2011 after a number of online gaming users got infected with a Trojan horse that was delivered to their machines through a game update server. When Kaspersky researchers were called in to investigate, they discovered that the infection of users was merely a byproduct of the real infection that targeted the gaming company's servers for the purpose of obtaining its digital certificate and source code.

End users weren't adversely affected by the Trojan, since it was missing other components that it needed to work properly, Kaspersky says, and researchers concluded that the trojan had inadvertently landed on the update server. The attackers hadn't intended to infect end users, though they certainly could have done so had they wanted.

"Right now, we only see them attacking gaming companies, not end users directly," said Kurt Baumgartner, senior security researcher at Kaspersky.

Kaspersky analyzed the malware that was passed to users and discovered it consisted of a main module and a driver that was signed with a valid digital signature from a South Korean gaming company named KOG. The main module included a backdoor that would give the attackers remote access and control over victim computers.

After adding signatures to detect the malware, the researchers uncovered more samples of the backdoor that had been installed on victim computers and found more than a dozen digital certificates that had been compromised in this way. Kaspersky also identified 30 more video game developer companies that had been breached using the same penetration kit. The backdoors were identified as being part of the Winnti family -- a name that the security firm Symantec had given similar backdoors that it had uncovered previously.

Kaspersky believes the Winnti team has been active since at least 2009, though command-and-control servers used in the attacks were registered as early as 2007. The servers were initially used to spread rogue antivirus programs, then became command centers for controlling botnets aimed at infecting gaming companies. The campaign against the gaming companies began sometime in 2010.

Their activity was first uncovered by the security firm HB Gary, after that company investigated a breach into the network of a U.S. video game company. It wasn't known then, however, that the breach was part of a wider campaign attacking multiple gaming developers.

The use of compromised legitimate digital certificates to sign malware has become a popular hacking technique ever since the Stuxnet worm was exposed in 2010. The attackers behind Stuxnet, believed to be the U.S. and Israel, used a legitimate digital certificate stolen from the RealTek company in Taiwan to sign a driver used in their attack, which targeted the uranium enrichment program in Iran.