According to a report from Kaspersky Lab, a hacking group called Winnti has been targeting online game companies for years in order to steal source code and legitimate digital certificates for software. Kaspersky senior security researcher Kurt Baumgartner told Polygon that the Winnti trojan horse has infected more than 30 online game companies in Southeast Asia and game publishers worldwide.
In Kaspersky's report, the trojan was first detected in fall 2011 on a large number of computers used by players of an undisclosed online game. Symantec named the trojan "Winnti" and that name was later used to identify the group behind the attacks.
According to Kaspersky, the group's standard operations involve taking digital certificates and using them to sign malware to attack other targets. The security company believes the certificates are then used by a hacking group based in China, or sold on the Chinese black market.
"It seems like the goal of the attackers is to focus on the gaming companies, steal their digital certificates and maintain their stealth," Baumgartner told Polygon. "We haven't seen them going after the end user. Instead they are harvesting these digital certificates."
The digital certificate of Korean online vendor KOG was used in one of the attacks and with Kaspersky's help, that particular vector was closed. Another certificate, which originally came from online game operator YNK Korea's Japanese subsidiary, was attached to a trojan used against South Korean social networks Cyworld and Nate in 2011 and against Tibetan and Uyghur activists last month.
Baumgartner told Polygon that one of the reasons the Winnti group may be targeting online game companies is because those companies have digital certificates from around the world due to their global operations. Another reason is the collection of online game currency, which can then be sold to other players for real currency.
"We're not entirely certain why they're focused on gaming, but it's definitely a pattern," he said.
"Members of the Winnti team are patient and cautious. Cybercriminals have affected the processes of the online games from the infected companies and stolen money from them for years, but they have found ways of doing this without attracting attention to themselves," says the report.
The group is still active, but Kaspersky hopes the release of its report will help other companies protect themselves from possible intrusions.