Jump from Taiwan to Germany not standing up from a chair: how Winnti group spreads world-wide
Dmitry Tarakanov, Kaspersky Lab
Discovered in 2011 notorious APT group Winnti is still active and not going to slow down. Though this group hacks companies acting in online-gaming and IT industry mostly in Asian region it looks like they are not against covering whole world. Japan, Taiwan, Russia, Germany, United Kingdom, United State, Canada, Brazil – these are examples of countries where Winnti infections and hacks have already been spotted.
Nowadays many business models require international collaboration and online-gaming business is one of such models that partnership among entities from different countries is a usual practice. Companies open communication and technical channels between each other and being compromised one partner imperils another one: hackers easily jump from compromised network to suspecting nothing another company.
I will tell about recent example of such breach, how exactly Winnti hackers had gotten into German company from Taiwanese GameDev firm, how they acted and what tools rolled out in new place. And, of course, what measures allowed to notice uninvited guests. Also the final goal of Winnti will be described, how they monetize compromise video-game companies and what these companies concern about in relate to constant hack attempts.
Started from Virus Analyst position at Kaspersky Lab in 2009 Dmitry has grown up to solid security researcher specializing in combating and understanding targeted attacks. Working for several years in Global Research and Analysis Team he was researching APT campaigns, discovering new ones and tracking APT groups and their tools. Nowadays he is mostly focusing on malware detection used in APT attacks and improving Kaspersky Lab perimeter security solution.