SAN FRANCISCO (Reuters) - Cybersecurity researchers have uncovered a Chinese hacking ring that they said broke into the servers of dozens of online videogaming companies and stole valuable source code over a four-year period.
Kaspersky Lab warned on Thursday that an organization it christened “Winnti” had infiltrated the servers of at least 35 game developers and publishers, mostly in East Asia including South Korea, but also in Germany, the United States, Japan, China, Russia, Brazil, Peru, and Belarus.
The cybersecurity firm said it found evidence that the hackers attempted to steal proprietary software code, possibly to develop pirated versions of online games, or to steal in-game currency that can be converted into real money.
The campaign, which began in 2009 and is still active today, had an unusually wide reach because it targeted so-called “massively multiplayer games,” which can involve millions of users across different countries, according to Kaspersky.
The victims include South Korea’s Neowiz, Mgame Corp, Nexon Corp and privately held U.S.-based Trion Worlds, Kaspersky said.
Neowiz did not respond to requests for comment, while Trion and Nexon declined to comment. Mgame said it had no immediate comment.
Kaspersky said it was unclear how much damage the hackers caused in the campaign. Kaspersky was not given full access to all the infected servers, but some gaming companies reported malicious software in certain processes that suggested the hackers manipulated virtual currencies -- such as the “gold” that games typically accumulate in online role-playing games.
“We could not verify, but one obvious possibility would be to manipulate (the) internal state of the game to the advantage of the attackers,” said Kaspersky Lab’s senior security researcher, Kurt Baumgartner.
He said the hackers stole digital certificates, which can be used to authenticate software and gain access to computers. There was evidence that some of the digital certificates that Winnti stole were used by other groups with different agendas. For example, the certificates were used to spy on the computers of Tibetan and Uyghur activists, Baumgartner said.
“We believe that the source of all these stolen certificates could be the same Winnti group. Either this group has close contacts with other Chinese hacker gangs, or it sells the certificates on the black market in China,” Kaspersky Lab said.
Major corporations around the world have lost data to hackers in China and elsewhere for years. But the number of companies publicly admitting such breaches has been growing. Apple, Microsoft, Twitter, and Facebook confirmed attacks in a recent campaign.
Kaspersky is still investigating Winnti. The Moscow-based security firm has discovered significant malicious software campaigns in the past, including one known as “Flame” that spied on industrial facilities in Iran.
The security firm was first called in to investigate in 2011 when malware was discovered on the computers of users across the globe, all of whom were players of a popular online game that it did not specify.
The malware was traced to a downloaded update from the unidentified game publisher’s servers.
Kaspersky found that the attackers had managed to install a trojan -- malware granting surreptitious access to compromised machines -- on the company’s servers. Closer scrutiny showed the group employed similar tactics against other game publishers.
Editing by Tiffany Wu and Leslie Gevirtz