TG-3279 Hackers Set Sights on Video Games

If you thought cyber attacks were limited to critical websites, you’re in for a surprise. According to Dell Secureworks, the video games industry is the latest victim of cyber crime. A group of hackers, the Threat Group-3279 (TG-3279), is hunting down some of the most renowned video games for their source code.


Photo: Minerva Studio / Shutterstock

Developing Similar Games

The source code, once acquired, equips the hackers to come up with either cheat codes or similar games to occupy the market.

TG-3279 uses a number of indigenous tools to attack the target application. Among these, the major ones are called Conpee (a remote access Trojan) and Etso (a rootkit). While studying the affected applications, Secureworks came up with a number of distinguished indicators that assert the involvement of TG-3279. Some of the major footprints left behind by this hacker group on any application are the Etso rootkit, Runxx, and scripts such as sqlin.php and

While it hasn’t been established that TG-3279 is making use of any malware for their attacks, Secureworks believes that the group still takes the manual route when it comes to attacking the application, and follows the ‘hands-on-keyboard’ method.

Most of the applications attacked by TG-3279 possessed a digital certificate, which was originally the property of a known technology company based in China. Although this certificate was revoked in 2012, it is still validated successfully by a number of systems lacking an updated version of the CRL (Certificate Revocation List).

Two malware developers, using ‘Sincoder’ and ‘Laurentiu Moon’ as their alias, have been identified as members of TG-3279. Sincoder has a Gmail account and the information from the account shows that they are located in China, although this information might be wrong. Laurentiu Moon has a number of online profiles, including a Google+ account and a presence in the Steam community.

There is significant proof of their association with CCG (China Cracking Group) which mostly targets video games by violating their digital rights.

TG-3279 is also believed to have gelled up with another hacking group from China, Winnti, which focuses on cracking major online video games. Winnti’s exploits were studied extensively in 2013 by the experts from Kaspersky Lab.

What makes TG-3279 even more intimidating, is that the group sticks to an infiltrated application and enhances its attack with more updated tools, some of which come with legitimate certificates.

Certificate Signing

Whenever a user wants to install an executable file in Windows 7, the operating system checks for a valid digital signature and matches it against the Certificate Authorities. If the signatures match, the file is executed without seeking any additional permission from the user. The files used by TG-3279 on Windows 7 are found to contain valid signatures. The signatures were accompanied by a certificate from a Chinese technology company. Interestingly, the date mentioned on the company’s certificates is exactly the same as the date on which these files were copied to the attacked server (February 19, 2013).

According to the CTU researchers, the said certificate was revoked about six months before it was used by TG-3279. If the server under attack had an updated current certificate revocation list, this certificate would have been termed as ‘invalid’ by Windows 7.

The modus operandi for TG-3279 includes gaining access to the accounts held by the system/network administrators. Once successful, the group makes use of some critical hosts to assist the execution of its pet tools, Etso and Conpee. The next step involves inserting some key system tasks so that the critical parameters are collected by pwdump6.

How to Detect an Attack

Although TG-3279 has been ominous and stealthy in its approach, there are still a number of measures that can help you prevent/detect an attack by this group on your application/host.

  • You must ensure that your system is equipped with the current Certificate Revocation List.
  • The system must use a host-based file profiling system so that it can easily detect a new DLL file addition or any changes in the existing files.
  • One of the first steps taken by the TG-3279 while attacking a system is ‘turning off’ the domain names. To counter this, you must keep an eye on the DNS lookup. The NX-domains lookups must also be carefully monitored.

According to CTU researchers, the malware developers, Sincoder and Laurentiu Moon, might have developed the tools employed by TG-3279. This hacking association tries to obtain the source code behind famous video games to develop cheat patches or similar applications. Although there are a number of common links joining TG-3279 and Winnti (TG-2633), nothing concrete can be deciphered about their connection as of now. It is also believed that the TG-3279 will continue with its hacking operations.