Members of Chinese Espionage Group Develop a 'Side Business'FireEye Reports Some Hackers Target Gaming Industry for Financial Gain
Some members of a hacking group with ties to China's government that’s primarily known for its complex cyberespionage campaigns have developed a side business targeting the global gaming industry for financial gain, the security firm FireEye says.
Members of the state-sponsored hacking group, which is known as APT41, have been targeting the video gaming industry for several years by using a combination of compromised electronic passwords and digital certificates, the deployment of customized malware, as well as phishing e-mails, for what appears to be off-hours theft of virtual currency, according to a new FireEye report.
FireEye researchers believe the gaming industry targets include video game development studios, distributors and publishers as well as companies involved in the industry's global supply chain.
"APT41 campaigns focused on the video game sector have largely affected studios and distributors in East and Southeast Asia, although global companies based in the United States have also been targeted," Nalani Fraser, a senior manager for intelligence analysis at FireEye, tells Information Security Media Group.
It's not clear how much money members of APT41 have made by hacking gaming companies and individual gamers, but Fraser notes that in one case, the attackers gained access to a gaming production environment and mined millions of dollars in virtual currency in less than three hours.
This virtual currency was then likely sold at a discount on underground forums and netted the attackers about $300,000, Fraser estimates.
"This amount pales in comparison to other cybercrime operators and supports our theory that APT41 [members] perform these operations alongside their real jobs," Fraser says.
The APT41 group, which has been active since at least 2014, is known for its global ambitions, which include targeting businesses and organizations in 14 countries, according to FireEye. While the group's exact ties to China's government are not clear, its cyber and espionage activities appear to coincide with the country's "Made in China 2025" mission – a plan to develop its high-tech and advanced manufacturing sectors.
Over the last five years, APT41 has targeted a number of organizations, including those in the healthcare, high-tech and telecommunications sectors, according to FireEye. The group is also known for spying on higher education, travel services as well as entertainment and media firms.
In addition to stealing intellectual property, APT41 is known to keep track of certain individuals, including Chinese officials, as they travel around the world, according to FireEye.
The group has developed an arsenal of malware and other malicious tools, including customized backdoors, credential stealers, keyloggers and rootkits, but it's also known to borrow techniques from others groups as well, FireEye reports.
APT41 relies on simple spear-phishing emails with attachments to initially compromise their victims, FireEye researchers say.
Although the hacking group has developed over 40 malicious tools, it now appears that at least some members are using these techniques and malware for their own financial gain as an "off hours" side hustle, according to FireEye.
"APT41 is unique among tracked China-based actors in that it leverages non-public malware typically reserved for espionage operations in what appears to be activity that falls outside the scope of state-sponsored missions," according to the report.
This side business of attacking and stealing from the global gaming industry appears linked to two individuals associated with the group, FireEye reports.
These two individuals, who go by the names "Zhang Xuguang" and "Wolfzhi," have been identified as the members who are likely to be carrying out these malicious attacks, some of which date to 2012 before the APT41 group was first discovered, the report finds.
"We were able to identify at least two personas connected to activity on Chinese forums, but the group is likely a lot larger based on the sizeable amount of concurrent targeting observed over the years," Fraser says. "It is difficult to tell how many additional members are part of APT41."
FireEye identified these two individuals based on personal information, their past work, their programming skill set as well as specific targets they chose.
Late Night Operation
FireEye found that most of the financially motivated activity targeting the gaming industry occurs during off hours, typically late at night or early in the morning.
During that time, the APT41 members suspected of working on the side leverage a variety of techniques to perform an initial compromise, including spear phishing, moving laterally from trusted third parties, leveraging stolen credentials, installing webshells on vulnerable servers, and accessing victim organizations using remote desktop sharing software, such as TeamViewer, Fraser says.
"However, they are also well known for conducting complex supply chain compromises to infect hundreds of victims at once. Once inside a victim organization, the group can leverage more sophisticated [tactics, techniques and procedures] and deploy additional malware tools," he adds.
State-sponsored Chinese espionage by groups such as APT41 has been an increasing cause of tension between China and U.S. over the last several year.
In 2015, the U.S. reached a landmark agreement with China to stop cyberattacks aimed at stealing intellectual property. But after a lull, experts say suspected China-backed attacks have resumed (see: U.S., China Reach Cyber Agreement).
That has led to a crackdown by U.S. authorities on China-sponsored cyberespionage.
For instance, the U.S. Department of Justice charged two Chinese nationals in December in connection with a cyberespionage campaign, alleging they acted in association with a government agency (see: 2 Chinese Nationals Indicted for Cyber Espionage).