Kaspersky Labs has uncovered an active cybercrime ring that has
infiltrated the servers of many games developers and publishers for the
past four years, to access source codes for the development of pirated
games and steal virtual currency.
According to its blog post Thursday,
Kaspersky fingered a group named "Winnti" to be responsible for
breaking into the servers of at least 35 games developers and publishers
since 2009. The evidence it had uncovered suggested the cybercriminals
were looking to steal proprietary source codes to possible develop into
pirated versions of the games, or to steal virtual currency which can be converted into real money, it said.
Most of the victims were located in Asia, especially the Southeast
Asia region and also in Japan, China and South Korea. However, companies
in Germany, the United States, Russia, Brazil, Peru and Belarus have
also been hit, it said.
Places where hacker group "Winnti" has conducted its activities in. (Source: Kaspersky Labs)
The attacks are still ongoing, targeting "massively multiplayer
games" which involve millions of users across different countries.
Kaspersky Labs will continue investigating Winnti, it noted.
Impact unknown
The security company acknowledged it does not have a clear picture
how much damage the cybercriminal group has caused, as it had not been
given full access to all the infected servers. Some games companies have
reported malicious software in processes which suggest the hackers had
manipulated virtual currencies though, the blog post noted.
It also stole digital certificates, which it then used for future
attacks. For example, in an attack against South Korean social network
Cyworld and Nate in 2011, the attackers used a Trojan which was
digitally signed using a certificate from video games company YNK Japan,
it said.
Hackers possibly from China, South Korea
Kaspersky also shed light on the origins of Winnti. It said: "We
believe the source of all these stolen certificates could be the same
Winnti group. Either this group has close contacts with other Chinese
hacker gangs, or it sells the certificates on the black market in
China."
It stated initial analysis of the malicious files showed the text
used to be in Chinese Simplified GBK coding, which indicated the
nationality of the cybercriminals. In addition, the cybercriminals used
the AheadLib program, which has a Chinese interface to create malicious
libraries.
Source: Kaspersky Labs
However, while monitoring the cybercriminals' activities on infected
machines, the security researchers noticed Winnti uploaded the
certificate found in the infected system and network traffic data
reflected the local path where it had saved the file on the computer. It
was there that Korean characters for the word "desktop" appeared.
"This means the attackers were working on a Korean Windows operating
system," the blog post said. "Therefore, we can presume that the attack
is not the exclusive work of Chinese-speaking cybercriminals."
(Source: Kaspersky Labs)
Kaspersky Labs was first called to investigate Winnti in 2011, when
malware was discovered on computers across the globe, all of which
belonged to players of a popular online game that it did not specify.
The malware was traced to a downloaded update from the game publisher's
server.
The security vendor then found the attackers managed to install a
Trojan malware granting surreptitious access to compromised machines on
the company's servers. Upon closer examination, it was found the group
employed similar tactics against other games publishers, the blog post
stated.
8:53:00 AM
valgeo
1 σχόλια:
Great blog you hhave
Post a Comment