In a story from Wired’s Andy Greenberg, the website reported a concerning development in cybersecurity. Rather than target a lone device or network, hackers are targeting companies distributing codes to the victims. Hackers corrupted tools used by three different game developers. The program in question, Microsoft Visual Studio, is a popular program when developing video games. Kaspersky and ESET point to a targeted attack on developer devices, an attack even bolder than the one performed on Asus earlier this year.
Because the tools used by the developers themselves were compromised, the infection quickly and easily spread to any consumer who used their product. These subtle breaches of security are difficult to detect and thwart. If the product reaches the market and the malware remains undetected and purged, it can cause a much larger breach. After using their compromised tools, the three companies verified their products with a digital signature. This marked their products as legitimate and safe, although they still contained malware.
Director of Kaspersky’s Asia-focused research, Vitaly Kamluk, had this to say on the threat:
“I’m afraid there are many software developers out there who are completely unaware of this potential threat, this angle of being attacked. If their most trusted tools are backdoored, they’ll keep producing compromised executables, and if they digitally sign them, they’ll be trusted by users, security software, and so on. They found a weak spot of the global developer community, and that’s what they’re exploiting.”
Kaspersky and ESET name two different studios, leaving the third currently unknown. The first developer is Electronics Extreme, a Thai studio. Their infected product, aptly named Infestation, features an undead plague. The second developer, Korean firm Zepetto, also faces the threat of malware in their products. Some copies of their first-person shooter PointBlank have malware bundled with the game.
Altogether, approximately 92,000 computers tested positive for malicious copies of the games with Kaspersky’s antivirus software. This, however, is a very conservative estimate according to the company. ESET estimates the number of affected devices in the “hundreds of thousands.” The overwhelming majority of known infected machines are in Asia. ESET estimates just over half are located in Thailand, with smaller percentages in the Philippines and the island of Taiwan, and scattered infections in Hong Kong, Indonesia, and Vietnam. At the moment, the malware uploads a machine’s identifying number and uploads it to the hackers’ server. Rather than bricking machines, it seems its current goal is reconnaissance.
Kaspersky and ESET both note that the malware stops executing on machines using either Russian or Simplified Chinese used in mainland China. Kamluk notes that Kaspersky discovered the malware this January. The compromised version of Microsoft Visual Studio contains a malicious linker, a tool connecting different parts of code when compiling source code. Kaspersky suspects the attacks belong to a larger campaign, dubbed “ShadowHammer,” linking it to the Asus attacks earlier this year. The company believes it is part of a larger spying campaign, basing their beliefs on similarities in coding style. Unlike malware campaigns of ages past, both companies believe the attacks specifically targeted developers because of the domino effect. Kamluk urges developers use more vigilance.