Cyber Incident Victim: Gravity
Date:
Jan 2020
Location:
South Korea
Summary
Chinese hackers associated with the Winnti group (APT41) targeted a South Korean video game developer using a new malware strain known as the Winnti Dropper, designed to deploy additional malicious payloads. The intrusion attempt was identified through malware configuration data explicitly referencing the victim company, though the success of the breach remains unconfirmed. The group has a documented history of attacking gaming firms, particularly in South Korea and Taiwan, often exploiting compromised systems for financial gain through theft or manipulation of virtual currencies, with activities frequently occurring outside standard operational hours.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
In early 2020, Gravity Co., Ltd., the South Korean developer of the *Ragnarok Online* MMORPG, was targeted in a cyber intrusion attempt attributed to the Chinese state-sponsored threat actor Winnti (also tracked as APT41, BARIUM, or Blackfly). Security firm QuoIntelligence (QuoINT) uncovered the activity in April 2020 through analysis of a new malware variant, identified as the "Winnti Dropper." This malware, designed to deploy additional payloads onto infected systems, contained a configuration file explicitly referencing "GRAVITY," confirming the company as the intended target. QuoINT assessed the malware’s characteristics and historical Winnti targeting patterns to link the attack to the group. The exact timing of the intrusion attempts was narrowed to earlier in 2020, though neither Gravity nor QuoINT confirmed whether the compromise succeeded. Gravity did not respond to media inquiries regarding awareness of the incident or potential breaches. The Winnti Dropper’s function aligned with the group’s established tactics, where initial access facilitates follow-on malware delivery, often for prolonged network exploitation.
Winnti’s targeting of Gravity continued a years-long pattern of cyberattacks against the gaming industry, particularly companies in South Korea and Taiwan. Security firms including Kaspersky (2018), ESET (2019), and FireEye (2019) had previously documented Winnti’s theft of digital certificates, deployment of backdoors in gaming software, and manipulation of virtual currencies for financial gain. FireEye noted these activities often occurred outside the group’s state-aligned espionage operations, suggesting individual members pursued illicit profit during non-working hours. Prior victims included Electronics Extreme, developer of *Infestation*, where Winnti compromised games from at least three Asian studios. The Gravity incident reflected this dual motivation—blending state-sponsored capabilities with criminal profit-seeking—though no specific financial or data theft was confirmed in this case. The lack of public disclosure by Gravity left the operational impact unresolved, while the malware’s discovery underscored Winnti’s persistent focus on gaming sector vulnerabilities.