The United States Justice Department announced charges today against five Chinese hackers for their role in spying on and stealing millions of dollars from over a hundred companies around the world. But of the several indictments released by the department, one details an elaborate scheme involving these hackers and two Malaysian businessmen to illegally gain access to various online games, generate fake items, and then sell them for real-world profit online.
The Chinese hackers in question belong to a group known as APT41 (also called Barium) that has been at large since early 2012 and is widely believed to work—at least in part—with the Chinese government. APT41 is accused of breaking into hundreds of networks around the world, ranging from universities and foreign government agencies, to spy and steal using methods like ransomware and phishing. Just last year, for example, APT41 allegedly hijacked Asus’ Live Update software to install backdoors into potentially hundreds of thousands of computers using Asus’ own servers. Now the US government has named the five suspects and charged them with several dozen accounts of fraud and identity theft.
Though it’s unlikely that they’ll ever be extradited to the United States, the indictments connect APT41 with a number of major security breaches affecting companies like CCleaner. “These were some of the most massive supply chain attacks in history,” Costin Raiu, the head of security firm Kaspersky’s Global Research & Analysis Team told Wired. “Connecting these guys with those attacks is very significant.”
But what’s particularly fascinating is one of the indictments explains how APT41 worked with a website known as SEA Gamer to compromise the networks of at least nine major game companies in the US, France, South Korea, and Japan over the past several years. The report does not reveal which companies were affected, however. The two Malaysian owners of SEA Gamer, named Wong Ong Hua and Ling Yang Ching, have already been arrested by local authorities and the Justice Department is seeking their extradition so they can be tried in federal court, according to Wired.
You can read the indictment yourself, but the 50-page report lays out a comprehensive and elaborate scheme where APT41 hackers infiltrated networks and databases owned by nine unnamed game companies using malware, phishing emails, and identity theft. “Their tradecraft also included more sophisticated methods, including stolen software signing certificates which fraudulently asserted that malware was legitimate software authored by legitimate companies, as well as ‘supply chain attacks,’ through which the hackers victimized software development companies and then fraudulently modified those companies’ software to include malicious code, thereby enabling the computer hackers to compromise the companies’ customers,” the indictment, as uploaded by Wired, reads.
Once inside the network, the hackers could duplicate items and currency and place it in accounts owned by SEA Gamer who created them manually or stole them from legitimate players. Those items would then be sold through SEA Gamer to other players. To stop the game companies from cluing into what was happening, APT41 would “monitor the victim companies’ fraud detection personnel.” In some cases, APT41 would identify the specific algorithms and procedures a company might use to tell when someone is selling ill-gotten gold and help SEA Gamer devise methods that avoided detection.
The indictment even says that APT41 was using its illegal access to game company networks to “take action” against unrelated hacking groups that were attempting to do the same thing, effectively eliminating the competition.
It’s not clear just how much money was being made from this racketeering business, but one passage in the indictment says that in 2015, one of the hackers received a payment from SEA Gamer in undisclosed currency totalling almost 3.7 million—but whether that was in US dollars, yen, or something else isn’t clear.
It’s also frustrating that the report doesn’t name which of the nine game companies were affected, but it does provide some clues in listing where the “protected computers” of each company were primarily located. One of the US companies that was compromised, for example, is a child company of another South Korean game company that was hit by APT41 and has computers based in Washington and Illinois, according to the indictment.
Regardless of who was involved, that a scheme like this was happening might feel like the realm of science fiction, but, according to Acting US Attorney for the District of Columbia Michael Sherwin, this likely isn’t the first or last we’ll hear of this kind of cybercrime. “We see this as unfortunately a new area in which hackers are exploiting, and it’s a billion-dollar industry. I’m sure this isn’t the end.”
If you want to learn more about how online games are being exploited for cybercrime, you can check out this interview I had with cybersecurity expert Jean-Loup Richet about how money laundering works in MMOs like World of Warcraft and EVE Online.