The security industry is waking up to the insidious threat posed by software supply chain attacks, where hackers don't attack individual devices or networks directly, but rather the companies that distribute the code their targets use. Now researchers at security firms Kaspersky and ESET have uncovered evidence that the same hackers who targeted Asus with that sort of supply chain hack earlier this year have also targeted three different videogame developers—this time aiming even higher upstream, corrupting the programming tools game developers depend on.
Just weeks after revealing the Asus incident, in which hackers hijacked the computer company's software update process to silently infect customers with malicious code, Kaspersky researchers have connected it to another set of breaches. The same hackers appear to have corrupted versions of the Microsoft Visual Studio development tool, which three different videogame companies then used in the development process. The hackers could then plant malware in those games, likely infecting hundreds of thousands of victims with a backdoored version of the programs.
Kaspersky researchers say that both the Asus and videogame cases are likely part of a much broader web of interlinked supply chain hacks, one that also includes the hijacking of antivirus software CCleaner and the server management software Netsarang in 2017.
The videogame attacks in particular represent a looming blind spot for many software companies, says Vitaly Kamluk, Kaspersky's director of Asia-focused research. After using the malicious Microsoft development tools, each of the compromised gaming companies then digitally signed their games before distributing them, marking them as legitimate even though they contained malware. That represents an escalation over the Asus case, for instance, where hackers altered the update files after they were created, and used a compromised Asus server to sign them with the company's key.
"I’m afraid there are many software developers out there who are completely unaware of this potential threat, this angle of being attacked," Kamluk says. "If their most trusted tools are backdoored, they’ll keep producing compromised executables, and if they digitally sign them, they’ll be trusted by users, security software, and so on. They found a weak spot of the global developer community, and that's what they're exploiting."
Kaspersky and ESET both say Thai gaming company Electronics Extreme was one of the firms targeted in the attack; its zombie-themed game—ironically named Infestation—carried the malware. Kaspersky on Tuesday named Korean firm Zepetto as another victim, and its first-person shooter PointBlank as a second game that had in some instances been laced with malware. Both firms have so far declined to name the third victim.
"Software developers should ask themselves, where does your development software come from?"
Vitaly Kamluk, Kaspersky
In total, Kaspersky antivirus detected 92,000 computers running the malicious versions of the games, though it suspects there are likely far more victims. ESET in March put the number as high as "hundreds of thousands." Almost all the known infected machines were in Asia, according to ESET, with 55 percent in Thailand, another 13 percent in the Philippines and Taiwan each, and smaller percentages in Hong Kong, Indonesia, and Vietnam. "I believe it’s just the tip of the iceberg," Kamluk says.
Both Kaspersky and ESET also note that the malware is carefully designed to stop executing on any machine configured to use Russian or the Simplified Chinese used in mainland China, where some security researchers have suspected the supply chain attackers are based since their 2017 attacks.
Kaspersky first spotted the videogame malware in January, according to Kamluk, when the company started scanning for code that looked similar to the backdoor they'd found installed by the hijacked ASUS updates. The investigation led to a compromised version of Microsoft Visual Studio that included a malicious "linker," the element of the Microsoft tool that connects different parts of code together when source code is compiled into a machine-readable binary. The new, evil linker integrated malicious code libraries into the resulting compiled program instead of the usual innocent ones.
Kamluk says it's still not clear how hackers tricked the victim companies into using the corrupted version of the Microsoft developer tool. It's possible, he says, that the firms' programmers had downloaded pirated versions of Visual Studio from message boards or BitTorrent, as occurred in a similar instance when Chinese developers used a malicious version of Apple's XCode tool in 2015. But he suspects, based on the currently known targeting of just three companies and only specific games, that the hackers may instead have actually breached their targets and planted their malicious version of Visual Studio on specific developer machines.
"I think it's more logical to speculate that hackers breached the companies first, then pivoted inside the network, looked for software engineers who worked on important executables, and backdoored compilers on site, in place," he says.
Rather than indiscriminately planting crimeware on as many machines as possible, the videogame hackers appear to be performing reconnaissance. The malware seems to be a first-stage trojan that simply gains a foothold and uploads a unique identifier for the machine back to the hackers' server, so they can decide which computers to target later with a second-stage tool. The linked Asus attack was similarly exacting, designed to install its payload malware on just 600 specific computers out of the hundreds of thousands it could have infected.
Kaspersky found evidence that the Asus and videogame attacks, which it collectively calls ShadowHammer, are likely linked to an older, sophisticated spying campaign, one that it dubbed ShadowPad in 2017. In those earlier incidents, hackers hijacked server management software distributed by the firm Netsarang, and then used a similar supply chain attack to piggyback on CCleaner antivirus software installed on 700,000 computers. But just 40 specific companies' computers received the hackers second-stage malware infection.—including Asus.
Kaspersky has based those connections on similarities in the hackers' code, the shared focus on supply chain attacks and distributing digitally signed malware, and one more revealing fingerprint: Both the CCleaner attack and the videogame firm breaches used compromised servers at the Korean Konkuk University as a command-and-control server. The two computers in the two breaches were even on the same part of the university's network, Kaspersky's Kamluk says. (Though Kaspersky hasn't attributed the attacks to any particular country, that link would suggest China's involvement, given that other security firms including Intezer Labs have pointed to Chinese calling cards in the earlier round of breaches.)
That ongoing series of attacks signals a group of aggressive hackers bent on serially corrupting software's supply chain, so that even trusted sources are turned into distributors of malware. But of those attacks, the videogame hijackings start closest to the source. They should also serve as a warning, says Kamluk. "Software developers should ask themselves, where does your development software come from? Is it a trusted source, is it official, is it untampered? When was the last time that software development companies checked the integrity of the compiler they're using?" he asks. "I have a feeling no one does this at all. And that’s why we have a problem escalating now to a bigger number of victims."