Governance & Risk Management , IT Risk Management

'ShadowHammer' Spreads Across Online Gaming Supply Chain

Several Gaming Suppliers Are the Latest Victims, Kaspersky Finds
'ShadowHammer' Spreads Across Online Gaming Supply Chain

A sophisticated supply-chain attack dubbed Operation ShadowHammer is becoming more pervasive, with the group targeting online gamers, security researchers warn.

See Also: How to Build Your Cyber Recovery Playbook

On Tuesday, Kaspersky Lab, which first took note of ShadowHammer in March, released new research that shows the threat group targeting at least three video game suppliers in Asia as well as a three other firms, including another online gaming supplier, a conglomerate holding company and a pharmaceutical firm based in South Korea.

Kaspersky previously reported that PC maker Asus and the third-party supplier of the company's Live Update Utility software were the first targets of ShadowHammer, although the researchers warned that the attacks focused on infecting the supply chains of many different kinds of enterprises.

As with the attack against Asus, these new incidents involved the installing of backdoors in software with the identification of victims through their MAC addresses. The attackers behind ShadowHammer hardcode MAC addresses into the trojanized software samples to target specific machines and their users, according to Kaspersky, which recovered some samples.

The exact motives behind the ShadowHammer attacks remain unclear even after this further research, Kasperky notes. In the case of Asus, it seems that at least 600 victims were targeted, but it's not clear why.

"At this unprecedented scale of operations, it is still a mystery why attackers reduced the impact by limiting payload execution to 600+ victims in the case of Asus. We are also unsure who the ultimate victims were or where the attackers had collected the victims MAC addresses from," according to the research paper released Tuesday.

One reason why this attack went undetected for a long time is that the malicious software was signed with legitimate security certificates, such as "AsusTeK Computer Inc." in the case of the first attack, according to Kaspersky.

ShadowHammer Hits Gamers

In its latest research report, Kaspersky notes three additional ShadowHammer victims, all connected with the video game industry:

  • Electronics Extreme, the Thailand-based author of the zombie survival game "Infestation: Survivor Stories;"
  • Innovative Extremist, also based in Thailand, which provides web and IT infrastructure services and formerly worked in game development;
  • Zepetto, a South Korean company that developed the video game "Point Blank."

As with the attacks that focused on Asus, ShadowHammer infected numerous systems at these companies with the intent of gathering as much information as possible before targeting specific individuals, says Vitaly Kamluk, Kaspersky's director of the global research and analysis team for the APAC region.

"There are two clusters of victims in the new report - gaming companies and their customers," Kamluk tells Information Security Media Group.

"We do not know how the gaming companies were initially breached, but some powerful malware installed on their systems used a system-specific identifier to be able to run," Kamluk says. "As for the gamers, the backdoor injected into the games was system-agnostic. It didn't have any targeting profiles, but would collect system information such as language, OS version, MAC address and other system properties and send it to the attackers."

Kamluk adds that the group behind ShadowHammer had a "high interest" in the online gaming sector. Because South Korea is a global hub for this market, it may explain why so many victims live in that country.

Kaspersky is still attempting to contact the three other companies targeted in this attack, which is why they were not named in Tuesday's report.

Comparing Attacks

While the attacks against Asus and the three gaming suppliers contained subtle differences, the similarities helped Kaspersky tie the attacks together and point the finger at ShadowHammer.

For instance, the researchers found that the algorithm used to calculate API function hashes within the trojanized games closely resembled the algorithm used to create the backdoor within the Asus Live Update Utility software. Since the original report, Asus and its suppliers have patched the flaw that led to the original attack.

How the ShadowHammer attack against Asus worked (Image: Kaspersky)

In the case of the three named gaming supply companies identified in the new report, Kaspersky found that ShadowHammer was able to install a malicious payload that would collect system information and communicate with a command-and-control server that the group used. The data that the payload collects can include network adapter MAC address, system username, system host name and IP address, Windows version and CPU architecture.

The report notes that the before an attack begins, the trojanized games run a check within the systems, looking for specific configurations, such as process monitoring tools or if the system language ID is set to Simplified Chinese or Russian. In these cases, the malware stops. If these conditions are not present, it proceeds, Kaspersky says.

Targeting Supply Chains

The size and scope of ShadowHammer, combined with the group's ability to forge certificates to avoid detection, show that its attacks are much larger than other types of schemes targeting the global supply chain.

For example, in another type of attack in 2017 called ShadowPad, attackers planted a data-stealing backdoor in five software packages associated with server management vendor NetSarang, Kaspersky points out.

In its previous reports, researchers noted a loose connection between ShadowPad and ShadowHammer. ShadowPad, which has also been referred to as Barium, has connections to a larger group dubbed Winnti Umbrella, which is named for the backdoor tools used as part of its various schemes, Kaspersky says.

Some researchers believe Winnti Umbrella is associated with Chinese intelligence. The group also goes by the names Winnti, PassCV, APT17, Axiom, Lead, Wicked Panda and Gref.

Kasperksy also notes in its new research that ShadowHammer reused algorithms found in other malware samples, including those of PlugX - a backdoor popular with Chinese-speaking hacker groups

"We believe it [ShadowHammer] is related to the activity of the ShadowPad threat actor, which is also known as the Barium Group - Microsoft's classification - and is a descendant of the Winnti group," says Kamluk.

The other supply chain attack that ShadowHammer has now surpassed is CCleaner, which also dates from 2017. In that campaign, hackers attacked a server owned by British developer Piriform, which recently was acquired by Czech security firm Avast, and used it to distribute CCleaner malware to customers, infecting about 77,000 systems worldwide.

Taking Advantage of Weaknesses

ShadowHammer, CCleaner and ShadowPad all take advantage of certain weaknesses in the global supply chain. Because attackers use realistic-looking certificates, companies need to verify the software that their suppliers are using and run more careful checks of third-party firms, Kamluk says.

"We think that supply chains should be more carefully verified, and businesses should not blindly trust digital signatures, but rather, complete actual code validation," Kamluk says. "The manufacturers of software should also implement regular security audits of their development environment, which will allow them to discover backdoored compilers like those used in the ShadowPad attacks."

Because companies share a wealth of data with their supply chains, enterprises need to rethink their approach to security, says Steve Durbin, managing director of the Information Security Forum.

"Supply chain information risk management should be embedded within existing procurement and vendor management procedures," Durbin says. "A well-structured supply chain information risk assessment approach can provide a detailed, step-by-step approach to portion an otherwise intimidating project into manageable components. This method should be information-driven, rather than supplier-centric, so it is scalable and repeatable."

About the Author

Scott Ferguson

Scott Ferguson

Former Managing Editor, GovInfoSecurity, ISMG

Ferguson was the managing editor for the media website at Information Security Media Group. Before joining ISMG, he was editor-in-chief at eWEEK and director of audience development for InformationWeek. He's also written and edited for Light Reading, Security Now, Enterprise Cloud News, TU-Automotive, Dice Insights and

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.