Chinese hackers targeted company behind 'Ragnarok Online' MMORPG

Security firm finds new Chinese malware aimed at the Gravity game maker's network. Unclear if the attempted intrusion succeeded.

rargnarok-01.jpg

Image: Gravity Co., Ltd.

Special feature

Cyberwar and the Future of Cybersecurity

Today's security threats have expanded in scope and seriousness. There can now be millions -- or even billions -- of dollars at risk when information security isn't handled properly.

Read More

One of China's largest state-sponsored hacking groups has attempted to breach the internal network of Gravity, the South Korean gaming company behind popular Ragnarok Online MMORPG (Massive Multiplayer Online Role-Playing Game).

The intrusion attempts are believed to have taken place earlier this year, although it is unclear if they were successful or not.

The attempted attacks came to light today after cyber-security firm QuoIntelligence (QuoINT) published a report on new malware strains it discovered, which it attributed to a Chinese hacker group known as Winnti (aka APT41, BARIUM, Blackfly).

"We were able to extract the malware's configuration file and identify the intended target. In this case, the following string was included within the extracted configuration: 0x1A0: GRAVITY," the company said.

"Based on previous knowledge and targeting of the Winnti Group, we assess that this sample was likely used to target Gravity Co., Ltd., a South Korean video game company," QuoINT sid.

The malware was described as "the Winnti Dropper," a type of malware that's usually the first one that infects a victim's computer, and then proceeds to download other malware strains.

A Gravity spokesperson could not be reached for comment before this article's publication. It is unclear if the company is aware of the attempted intrusion attempt or if it succeeded.

Winnti has a known history of attacking gaming companies

QuoINT says this attempted intrusion is just the latest in a long line of Winnti attacks aimed at the video game industry, and especially aimed at gaming companies operating from South Korea and Taiwan, which the group has frequently targeted.

Such attacks have happened before. In a March 2018 report, Kaspersky said "the Winnti group has been active for several years and specializes in cyber-attacks against the online video game industry."

In May 2019, ESET reported that Winnti managed to breach and backdoor games from at least three Asian gaming companies, including Electronics Extreme's popular Infestation game.

In August 2019, FireEye published a report detailing the Winnti (APT41) group's attacks against the gaming industry. According to FireEye's assessment, the group's attacks on gaming companies are not related to any cyber-espionage objectives. Instead, FireEye says that Winnti (APT41) members appear to target gaming companies outside of working hours, in their free time, hacking for their own personal profits by either stealing or manipulating online gaming currencies.