The U.S. Department of Justice announced today that five Chinese hackers have been indicted for spying on more than 100 companies worldwide and stealing millions of dollars. One of the multiple indictments announced by the Department detailed an elaborate scheme involving these hackers and two Malaysian businessmen to gain real profits by illegally accessing various online games, generating fake items, and selling them online.
The Chinese hackers in question belong to a group known as APT41 (also known as Valium), which has been on the run since early 2012 and is widely believed to be at least partially aligned with the Chinese government. APT41 uses ransomware, phishing, and other techniques It has been accused of using ransomware, phishing, and other methods to infiltrate hundreds of networks around the world, ranging from universities to foreign government agencies, to commit espionage and theft. For example, APT41 allegedly hijacked Asus' Live Update software last year and used Asus' own servers to install backdoors in potentially hundreds of thousands of computers. Now the U.S. government has named five suspects and charged them with dozens of counts of fraud and identity theft.
While they will not be extradited to the U.S., the indictment ties APT41 to a number of massive security breaches affecting companies like CCleaner. Costin Raiu, head of the Global Research & Analysis Team at security firm Kaspersky, told Wired, "These were the most massive supply chain attacks in history. It's very important to tie them to these attacks."
What is particularly fascinating, however, is that one of the indictments explains how APT41, in cooperation with a website known as SEA Gamer, has compromised the networks of at least nine major gaming companies in the US, France, Korea, and Japan over the past several years. However, it is not clear which companies were affected; according to Wired, two Malaysian owners of SEA Gamer, Wong Ong Hua and Ling Yang Ching, have already been arrested by local authorities and the Justice Department has requested their extradition to be tried in federal court. The DOJ has requested that they be extradited to be tried in federal court.
The indictment, which you can read for yourself, is a 50-page report that describes a comprehensive and elaborate scheme in which APT41 hackers used malware, phishing emails, and identity theft to break into networks and databases owned by nine unnamed gaming companies. Their modus operandi included stolen software signing certificates that spoofed the malware as legitimate software created by legitimate companies, and "supply chain attacks," in which hackers victimize software development companies and spoof and modify those companies' software to include malicious code. More sophisticated methods, such as "chain attacks," were also included.
Once in the network, hackers were able to duplicate items and currency and place them on accounts owned by SEA Gamer. Those items would then be sold to other players through SEA Gamer.APT41 "monitored fraud detection personnel at the affected companies" to prevent fraud detection by the gaming companies. In some cases, APT41 identified specific algorithms and procedures that companies might use to discern that someone was selling fraudulently obtained gold and helped SEA Gamer devise ways to avoid detection.
According to the indictment, APT41 even used its illegal access to the gaming companies' networks to "take action" against unrelated hacking groups attempting to do the same, effectively eliminating their competition.
It is not clear how much money was made in this racketeering business, but a passage in the indictment states that in 2015 one of the hackers received payments from SEA Gamer totaling approximately $30 million in undisclosed currency. 7 million dollars, but it is not clear whether that is in US dollars, yen, or something else.
It is also frustrating that the report does not name any of the nine gaming companies affected, but it does provide some clues by listing where each company's "protected computers" were primarily located. For example, one of the U.S. companies compromised was a subsidiary of another Korean gaming company hit by APT41, which, according to the indictment, owns computers based in Washington and Illinois.
Regardless of who was involved, it may seem like the stuff of science fiction that such a scheme was happening, but according to Michael Sherwin, acting U.S. attorney for the District of Columbia, this is not the first or last cybercrime of this kind. He said, "Unfortunately, this is a new area for hackers to exploit, a billion-dollar industry. I am confident this is not the end." [To learn more about how online games are being exploited for cybercrime, check out my interview with cybersecurity expert Jean-Loup Richet on money laundering in MMOs like World of Warcraft and EVE Online. Please see my interview with Jean-Loup Richet, a cyber security expert, about how money laundering works in MMOs like World of Warcraft and EVE Online.
Thanks, Wired.
.
Comments