Supply chain hackers have hidden malware in the tools used by video game developers, according to a new report from Wired.
Supply chain attacks – described as such when hackers don’t attack individual devices or networks directly but instead use other companies to distribute malicious code in software – have been discovered by security firms Kaspersky and ESET. So far, it’s thought three studios have been targeted by the same hackers that infected Asus’ update software earlier this year.
According to security firms Kaspersky and ESET, Thai gaming company Electronics Extreme was one such victim and it’s zombie-game, Infestation, planted malware in its players’ systems. Korean developer of FPS PointBlank, Zepetto, was also affected. Neither security company would confirm the name of the third studio affected by the hack. Interestingly, both companies believe the malware “is carefully designed to stop executing on any machine configured to use Russian or the Simplified Chinese used in mainland China”, supposedly because that’s where the supply chain hackers are based.
“I’m afraid there are many software developers out there who are completely unaware of this potential threat, this angle of being attacked,” Kaspersky’s director of Asia-focused research, Vitaly Kamluk, told Wired. “If their most trusted tools are backdoored, they’ll keep producing compromised executables, and if they digitally sign them, they’ll be trusted by users, security software, and so on. They found a weak spot of the global developer community, and that’s what they’re exploiting.”
This time, it appears the hackers have targeted developers via Microsoft Visual Studio, therefore planting malware and “likely infecting hundreds of thousands of victims with a backdoored version of the programs”. It’s unclear how the hackers corrupted the software, and while it’s possible the games may have been designed on pirated software, it’s more likely that the studios were specifically targeted.
“I think it’s more logical to speculate that hackers breached the companies first, then pivoted inside the network, looked for software engineers who worked on important executables, and backdoored compilers on site, in place,” Kamluk told Wired.
So far, Kaspersky antivirus software has identified 92,000 PCs infected by the malicious code smuggled into the games, though “it suspects there are likely far more victims”, probably “hundreds of thousands”. To date, it would appear the hack is chiefly contained to Asia; 55 per cent of those affected are Thai, 13 per cent from the Phillippines, 13 per cent Taiwanese, and others across Hong Kong, Indonesia, and Vietnam.
“Software developers should ask themselves, where does your development software come from? Is it a trusted source, is it official, is it untampered?” Kamluk added. “When was the last time that software development companies checked the integrity of the compiler they’re using? I have a feeling no one does this at all. And that’s why we have a problem escalating now to a bigger number of victims.”