14 DAY TRIAL // Kaspersky continues to analyze the attacks launched by the Winnti cybercriminal group on South East Asian organizations from the gaming industry. If last week they found a link between those attacks and the ones against Tibetan and Uyghur activists, today they’ve reported finding new things.
According to the security firm, one month after they had cleaned up one of the targeted gaming company’s networks, the criminals started launching new attacks.
They’ve used spear phishing emails to trick the organization’s employees into installing pieces of malware. First, they pretended to represent game development companies from the United States. Later, they changed their tactics, sending emails pretending to come from other employees of the firm.
However, in the second round of attacks, the malware they’ve sent had been part of the notorious PlugX family.
Experts believe that the cybercriminals responsible for utilizing the PlugX malware in attacks against political and governmental targets are somehow related to Winnti. Several clues indicate that there’s a link between the two (see screenshot).
It’s uncertain if two separate groups are involved, or if there is one single organization that combines both the Winnti collective and the one that targets governments.
“Perhaps some group members have worked on both projects; some may work in one group and then move to another, bringing their experience and material – this may also explain the intersection,” Kaspersky Lab Expert Dmitry Tarakanov explained.
“It is obvious that the targeted attacks business is booming in China. There’s little doubt that there’s some form of cooperation between some gangs such as sharing information and tools, and even group members,” Tarakanov added.
“Ordinary employees probably migrate from one criminal group or organization to another. It is clearly a challenging situation, and is only likely to improve with the political will and the intervention of law enforcement agencies.”