US charges Chinese hackers with ‘unprecedented’ attacks on gaming companies
Video games are a billion dollar business and hackers are starting to notice it, the Justice Department warned on Wednesday. The agency announced charges against five Chinese hackers and two Malaysian tech executives tied to a six-year campaign against multiple video game companies.
The five from China – Zhang Haoran, Tan Dailin, Qian Chuan, Fu Qiang and Jiang Lizhi – are allegedly responsible for hacking more than 100 companies, including social networks, telecommunications providers, universities and nonprofits. While these are common targets for nation-state hackers, the attacks on video game companies raise new concerns for the Justice Department.
“Unfortunately, we see this as a new area for hackers to exploit, and it’s a billion dollar industry,” said Michael Sherwin, the acting US attorney for Washington, DC, at a news conference. “There are many coins, tokens and digital currencies in a lot of these online games.”
Video game purchases drive robust sales every month, reaching $ 1.2 billion in July. Fortnite, a free game, generated $ 2.4 billion in revenue from in-game purchases in 2018. For hackers, it’s an industry ripe for profit from cyberattacks.
“This is a new, targeted environment,” said Sherwin, describing the scope and sophistication of these attacks as “unprecedented.”
The hacking campaign began in June 2014 and lasted until August, Justice Department officials said. Video game companies based in the United States, South Korea, Japan and Singapore were affected.
The group of Chinese hackers known to the government as APT 41 are believed to have gained access through a variety of methods, including brute force attacks, spear phishing, and supply chain attacks. Brute force attacks are when hackers guess all possible passwords until something works.
“APT41 has been involved in several high-profile supply chain incidents that often mixed their criminal interest in video games with the espionage operations they conducted on behalf of the state,” said John Hultquist, senior director of analysis at cybersecurity firm FireEye. “For example, they compromised video game distributors to distribute malware that could then be used for follow-up operations.”
A California-based video game company was injured after the hackers sent an email impersonating a former employee and attached a malware résumé to it, according to court records.
Justice Department officials also noted that the supply chain attacks not only affected video game companies, but reached several companies around the world. The Chinese hackers would compromise the software used by large companies and gain access through malicious backdoors they created, officials said.
Once the hackers had access to a video game company, according to the Justice Department, they modified their databases to generate certain items or virtual currency for themselves, and then sold them through a marketplace called SEA Gamer Mall, a company based in Malaysia.
Its CEO Wong Ong Hua and Chief Product Officer Ling Yang Ching are accused of collaborating with the Chinese hackers to sell the virtual items on their platform. The Malaysian police arrested the two on Monday and the US government is requesting extradition.
The company did not respond to requests for comment.
Prosecutors said Ling had joined a Facebook group that was classified as a black market for one of the hacked games he was using to promote the sale of the virtual items.
It’s unclear how profitable the effort was, but investigators found 3,779,440 in an unknown currency that was transferred to a hacker’s bank account in 2014.
In July 2017, the hackers began targeting games in the US and Europe after finding low income from games in Southeast Asia, according to court documents.
While the attackers had access to the video game company’s internal network, they could always stay one step ahead of their fraud detection. The hackers monitored their protection and often worked on it to continue their campaign, Justice Department officials said.
The hackers had access to 25 million records of names, addresses, password hashes, emails and other personal information of customers.
According to court records, the hackers also used their access to sabotage their competition in selling video games.
Deputy Attorney General Jeffrey Rosen said the agency worked with Google, Microsoft, Facebook, Verizon and other tech companies to stop the hacking campaign. This included shutting down fake sites that were supposed to look like Google and Microsoft logins, and removing VPNs that the hackers used to hide their traces.
“We used every tool available to the department to disrupt these APT 41 activities,” said Rosen.