Video games are a billion-dollar business, and hackers are starting to take notice, the Justice Department warned Wednesday. The agency announced charges against five Chinese hackers and two Malaysian tech executives who it tied to a six-year campaign against multiple video game companies.
The five from China — Zhang Haoran, Tan Dailin, Qian Chuan, Fu Qiang and Jiang Lizhi — are allegedly responsible for hacking more than 100 entities, including social networks, telecommunications providers, universities and nonprofit organizations. While these are common targets for nation-state hackers, the attacks on video game companies raise a new concern for the Justice Department.
“We see this as unfortunately a new area in which hackers are exploiting, and it’s a billion-dollar industry,” Michael Sherwin, acting US attorney for Washington, DC, said at a press briefing. “There’s a lot of coins, tokens, digital currency involved in a lot of these online games.”
Video games drive robust sales, reaching $1.2 billion in July. Fortnite, which is a free game, took in $2.4 billion in revenue from in-game purchases in 2018. For hackers, it’s an industry ripe for profits through cyberattacks.
“This is a new target-rich environment,” Sherwin said, calling the scope and sophistication of these attacks “unprecedented.”
The hacking campaign began in June 2014 and ran until this August, Justice Department officials said. It affected video game companies based in the US, South Korea, Japan and Singapore.
The group of Chinese hackers, known to the government as APT 41, allegedly gained access through multiple methods, including brute force attacks, spear-phishing and supply chain attacks. Brute force attacks are when hackers guess all the possible passwords until something works.
“APT41 has been involved in several high-profile supply chain incidents which often blended their criminal interest in video games with the espionage operations they were carrying out on behalf of the state,” John Hultquist, senior director of analysis at cybersecurity company FireEye. “For instance, they compromised video game distributors to proliferate malware which could then be used for follow-up operations.”
One video game company, based in California, was breached after the hackers sent an email pretending to be a former employee, with a malware-laced resume attached, according to the court documents.
Justice Department officials also noted that the supply chain attacks didn’t just affect the video game companies, but reached multiple corporations around the world. The Chinese hackers would compromise software used by major companies and gain access through malicious backdoors they created, officials said.
Once the hackers had access to a video game company, according to the Justice Department, they would modify its databases to generate certain items or virtual currency for themselves and then sell it through a marketplace called SEA Gamer Mall, a company based in Malaysia.
Its CEO, Wong Ong Hua, and its chief product officer, Ling Yang Ching, are accused of working with the Chinese hackers to sell the virtual items on their platform. Malaysian police arrested the two on Monday, and the US government is seeking extradition.
SEA Gamer Mall issued a statement Thursday and said that the company has “never engaged in any illegal activity.”
Prosecutors said that Ling joined a Facebook group labeled as a black market for one of the hacked games, which he used to promote the sale of virtual items.
It’s unclear how profitable the effort was, but investigators found 3,779,440 in an unknown currency transferred to one hacker’s bank account in 2014.
In July 2017, the hackers started targeting games based in the US and Europe after finding low revenue on games based in Southeast Asia, according to court documents.
While having access to the video game companies’ internal network, the attackers were also able to stay a step ahead of their fraud detection. The hackers monitored their protection and frequently worked around it to continue their campaign, Justice Department officials said.
The hackers had access to 25 million records of customers’ names, addresses, password hashes, emails and other personal information.
According to court documents, the hackers also used their access to sabotage their competition in video game sales.
Deputy Attorney General Jeffrey Rosen said the Justice Department worked with Google, Microsoft, Facebook, Verizon and other tech companies to stop the hacking campaign. That included shutting down fake pages designed to look like Google and Microsoft logins and taking down VPNs the hackers used to hide their tracks.
“We have used every tool at the department’s disposal to disrupt these APT 41 activities,” Rosen said.