Cyberwarfare / Nation-State Attacks
Fraud management and cybercrime
FireEye reports some hackers targeting the gaming industry for financial gain
Apurva Venkat (@VenkatApurva) •
August 12, 2019
Some members of a Chinese government-affiliated hacker group known mostly for their sophisticated cyber-presentation campaigns have developed a side business aimed at the global gaming industry for financial gain, according to security firm FireEye.
See also: Webinar | Key trends in payment intelligence – machine training to prevent fraud
Members of the state-sponsored hacking group known as APT41 have been targeting the video game industry for several years, using a combination of compromised electronic passwords and digital certificates, the introduction of personalized malware, and phishing emails for what looks like is outside the clock virtual currency theft, according to a new FireEye report.
FireEye researchers believe the goals of the gaming industry include video game development studios, distributors and publishers, as well as companies involved in the global supply chain in the industry.
"Video game-focused APT41 campaigns have largely affected studios and distributors in East and Southeast Asia, although global companies based in the United States have also targeted," says Nalani Fraser, senior intelligence analyst at FireEye, the Information Security Media Group.
It's unclear how much money APT41 members made by hacking gaming companies and individual gamers, but Fraser notes that in one case, attackers gained access to a gaming environment and pulled millions of dollars in virtual currency for less for three hours.
Afterwards, this virtual currency was probably sold at a discount of underground forums and attacker networks for about $ 300,000, Fraser estimates.
"This amount pales in comparison to other cybercrime operators and supports our theory that APT41 [members] they perform these operations alongside their actual jobs, "says Fraser.
The APT41 Group, which has been active since at least 2014, is known for its global ambitions, which include targeting businesses and organizations in 14 countries, according to FireEye. Although the group's precise ties with the Chinese government are unclear, its cyber-espionage activities appear to coincide with the country's Made in China 2025 mission – a blueprint for developing its high-tech and advanced manufacturing sectors.
Over the last five years, APT41 has targeted a number of organizations, including those in the healthcare, high-tech and telecommunications sectors, according to FireEye. The group is also known for spying on higher education, travel services, as well as entertainment and media companies.
In addition to the theft of intellectual property, APT41 is known to monitor certain people, including Chinese employees, as they travel the world, according to FireEye.
The group has developed an arsenal of malware and other malicious tools, including custom backdoors, trust stealers, keyloggers and rootkits, but is also known to be pulling techniques from other groups, FireEye reports.
The APT41 relies on simple e-mail attachments with attachments that initially compromise its victims, say FireEye researchers.
Although the hacker group has developed over 40 malicious tools, it now appears that at least some members are using these techniques and malware for their own financial gain as an out-of-hours side bust, according to FireEye.
"APT41 is unique to Chinese-based participants in that it uses non-public malware, typically reserved for espionage operations, in what appears to be an activity not covered by state-sponsored missions," the report said.
This side business of assault and theft from the global gaming industry appears to be linked to two people linked to the group, FireEye reports.
These two individuals, named "Zhang Xuwang" and "Wolfgang," have been identified as members likely to carry out these malicious attacks, some of which date to 2012, before the APT41 group was first discovered, a findings report .
"We have been able to identify at least two staff involved in Chinese forum activity, but the group is probably much larger based on the significant amount of concurrent targeting observed over the years," Fraser says. "It's hard to say how many additional members are part of APT41."
FireEye identifies these two individuals based on personal information, their past work, their programming skills, and the specific goals they have chosen.
Late night surgery
FireEye found that most of the financially-motivated activity targeting the gaming industry takes place during off-hours, usually late at night or early in the morning.
During this time, APT41 members suspected of working off-site used various techniques to compromise initially, including phishing, moving trusted third-party sites, using stolen credentials, installing websites on vulnerable servers, and access to victim organizations using remote desktop sharing software such as TeamViewer, Fraser says.
"However, they are also well known for making complex compromises in the supply chain to infect hundreds of victims at one time. Once within a victim organization, the group can use more complex ones. [tactics, techniques and procedures] and the introduction of additional malware tools, "he adds.
Increases the voltage
State-sponsored Chinese espionage by groups such as APT41 has been a growing cause of tensions between China and the US over the past few years.
In 2015, the United States reached a landmark agreement with China to stop cyberattacks targeting theft of intellectual property. But after a lull, experts say the suspected attacks in China have resumed (see: US, China reach agreement on cyber).
This led to a crackdown by US authorities on China-sponsored cyber espionage.
For example, the US Department of Justice indicted two Chinese citizens in December over a cyber-espionage campaign, claiming they were acting in concert with a government agency (see: 2 Chinese nationals accused of cyber espionage).