Kaspersky discovers hacker group targeting online games

Security firm says a group named "Winnti" has been infiltrating the servers of at least 35 games developers and publishers--many in Asia--since 2009, stealing their source codes for software piracy and virtual currency.
Written by Ellyne Phneah, Contributor on

Kaspersky Labs has uncovered an active cybercrime ring that has infiltrated the servers of many games developers and publishers for the past four years, to access source codes for the development of pirated games and steal virtual currency.

According to its blog post Thursday, Kaspersky fingered a group named "Winnti" to be responsible for breaking into the servers of at least 35 games developers and publishers since 2009. The evidence it had uncovered suggested the cybercriminals were looking to steal proprietary source codes to possible develop into pirated versions of the games, or to steal virtual currency which can be converted into real money, it said.

Most of the victims were located in Asia, especially the Southeast Asia region and also in Japan, China and South Korea. However, companies in Germany, the United States, Russia, Brazil, Peru and Belarus have also been hit, it said.

Places where hacker group "Winnti" has conducted its activities in. (Source: Kaspersky Labs)

The attacks are still ongoing, targeting "massively multiplayer games" which involve millions of users across different countries. Kaspersky Labs will continue investigating Winnti, it noted.

Impact unknown

The security company acknowledged it does not have a clear picture how much damage the cybercriminal group has caused, as it had not been given full access to all the infected servers. Some games companies have reported malicious software in processes which suggest the hackers had manipulated virtual currencies though, the blog post noted.

It also stole digital certificates, which it then used for future attacks. For example, in an attack against South Korean social network Cyworld and Nate in 2011, the attackers used a Trojan which was digitally signed using a certificate from video games company YNK Japan, it said.

Hackers possibly from China, South Korea

Kaspersky also shed light on the origins of Winnti. It said: "We believe the source of all these stolen certificates could be the same Winnti group. Either this group has close contacts with other Chinese hacker gangs, or it sells the certificates on the black market in China."

It stated initial analysis of the malicious files showed the text used to be in Chinese Simplified GBK coding, which indicated the nationality of the cybercriminals. In addition, the cybercriminals used the AheadLib program, which has a Chinese interface to create malicious libraries.

Source: Kaspersky Labs


However, while monitoring the cybercriminals' activities on infected machines, the security researchers noticed Winnti uploaded the certificate found in the infected system and network traffic data reflected the local path where it had saved the file on the computer. It was there that Korean characters for the word "desktop" appeared.

"This means the attackers were working on a Korean Windows operating system," the blog post said. "Therefore, we can presume that the attack is not the exclusive work of Chinese-speaking cybercriminals."

(Source: Kaspersky Labs)


Kaspersky Labs was first called to investigate Winnti in 2011, when malware was discovered on computers across the globe, all of which belonged to players of a popular online game that it did not specify. The malware was traced to a downloaded update from the game publisher's server.

The security vendor then found the attackers managed to install a Trojan malware granting surreptitious access to compromised machines on the company's servers. Upon closer examination, it was found the group employed similar tactics against other games publishers, the blog post stated.

Editorial standards