The security sector is waking up to the insidious threat posed by software supply chain attacks, where hackers don't attack individual devices or networks directly, but rather the companies that distribute the code used by their targets. Now researchers at security firms Kaspersky and ESET have uncovered evidence that the same hackers who targeted Asus with that sort of supply chain hack earlier this year have also targeted three different videogame developers—this time aiming even higher upstream, corrupting the programming tools relied on by game developers.
Just weeks after revealing the Asus incident—in which hackers hijacked the computer company's software update process to silently infect customers with malicious code—Kaspersky researchers have connected it to another set of breaches. The same hackers appear to have corrupted versions of the Microsoft Visual Studio development tool, which three different videogame companies then used in their own development. The hackers could then plant malware in certain games, likely infecting hundreds of thousands of victims with a backdoored version of the programs.
Kaspersky researchers say that both the Asus and videogame cases are likely part of a much broader web of interlinked supply chain hacks, one that also includes the hijacking of utility software CCleaner and the server management software Netsarang in 2017.
Game overThe videogame attacks in particular represent a looming blind spot for many software companies, says Vitaly Kamluk, Kaspersky's director of Asia-focused research. After using the malicious Microsoft development tools, each of the compromised gaming firms then digitally signed their games before distributing them, marking them as legitimate even though they contained malware. That represents an escalation over the Asus case, for instance, where hackers altered the update files after they were created, and used a compromised Asus server to sign them with the company's key.
"I’m afraid there are many software developers out there who are completely unaware of this potential threat, this angle of being attacked," Kamluk says. "If their most trusted tools are backdoored, they’ll keep producing compromised executables, and if they digitally sign them, they’ll be trusted by users, security software, and so on. They found a weak spot of the global developer community, and that's what they're exploiting."
Kaspersky and ESET both say Thai gaming company Electronics Extreme was one of the firms targeted in the attack; its zombie-themed game—ironically named Infestation—carried the malware. Kaspersky on Tuesday named Korean firm Zepetto as another victim, and its first-person shooter PointBlank as a second game that had in some instances been laced with malware. Both firms have so far declined to name the third victim.
"Software developers should ask themselves, where does your development software come from?"
Vitaly Kamluk, Kaspersky
In total, Kaspersky antivirus detected 92,000 computers running the malicious versions of the games, though it suspects there are likely far more victims. ESET in March put the number as high as "hundreds of thousands." Almost all the known infected machines were in Asia, according to ESET, with 55 percent in Thailand, another 13 percent in the Philippines and Taiwan each, and smaller percentages in Hong Kong, Indonesia, and Vietnam. "I believe it’s just the tip of the iceberg," Kamluk says.
Both Kaspersky and ESET also note that the malware is carefully designed to stop executing on any machine configured to use Russian or the Simplified Chinese used in mainland China, where some security researchers have suspected the supply chain attackers are based since their 2017 attacks.
Dark linkKaspersky first spotted the videogame malware in January, according to Kamluk, when the company started scanning for code that looked similar to the backdoor they'd found installed by the hijacked ASUS updates. The investigation led to a compromised version of Microsoft Visual Studio that included a malicious "linker," the element of the Microsoft tool that connects different parts of code together when source code is compiled into a machine-readable binary. The new, evil linker integrated malicious code libraries into the resulting compiled program instead of the usual innocent ones.
Kamluk says it's still not clear how hackers tricked the victim companies into using the corrupted version of the Microsoft developer tool. It's possible, he adds, that the firms' programmers had downloaded pirated versions of Visual Studio from message boards or BitTorrent, as occurred in a similar instance when Chinese developers used a malicious version of Apple's XCode tool in 2015. But he suspects, based on the currently known targeting of just three companies and only specific games, that the hackers may instead have actually breached their targets and planted their malicious version of Visual Studio on specific developer machines.
"I think it's more logical to speculate that hackers breached the companies first, then pivoted inside the network, looked for software engineers who worked on important executables, and backdoored compilers on site, in place," he says.
