July 1, 2022

Hackers Target Videogame Publishers for Ransom, Source Code

Gamers have struggled for years with hackers who cheat and take over accounts. Now, videogame studios are coming under serious attack, prompting them to step up their cyber defenses.

Electronic Arts Inc.

said Thursday it was breached by hackers recently, confirming an earlier report by technology news outlet Motherboard. That followed a disclosure by Polish game developer CD Projekt SA in February of a ransomware attack and a similar invasion of systems at

Capcom Co.

Ltd. last November.

Each attack involved data theft, with schedules for coming Capcom releases posted on darknet forums for games including Resident Evil Village and Street Fighter.

Hackers claim to have pilfered the source code for popular games such as EA’s FIFA series and CD Projekt’s Cyberpunk 2077, and the libraries of code and digital assets known as game engines used to create them.

Rather than demanding ransom to not publish the source code, the hackers have instead said they would auction it on the darknet.

“When you have the keys to the kingdom, and you understand how the code is being written and how the applications are being used, that’s obviously more visibility than I think anybody would want,” said

Mark Ostrowski,

head of engineering at

Check Point Software Technologies Ltd.

, a cybersecurity provider that has worked with videogame companies on their security, including EA.

In response to the ransomware attack, CD Projekt said in a statement on June 10 that it redesigned its core information-technology infrastructure, upgraded firewalls, expanded its internal security team and engaged third-party specialists to assist with cybersecurity. A spokeswoman for the company didn’t respond to a request for comment.

A spokeswoman for EA said the company lost a limited amount of game source code and related tools during its attack, and it doesn’t believe player data was at risk. EA has a full-time internal penetration testing team in place, she said, and is following best practices such as those outlined in President Biden’s May 12 executive order on cybersecurity.

Capcom said in an April 13 report that it had upgraded its technology and created a committee to oversee cybersecurity. A spokeswoman for Capcom referred queries on the attack to the company’s report.

Videogame studios, however, face a number of challenges unique to their industry. The need to consistently stream large volumes of data into and from servers, which power online gaming, means security tools are often customized for a studio.

Additionally, the digital nature of prized assets, such as source code, means that were a hacker to break in, crucial intellectual property can be targeted and stolen.

MORE FROM WSJ PRO CYBERSECURITY

“There’s not a single gaming company out there that does not focus on asset protection in some way,” said

Steve Ragan,

a security researcher at cybersecurity company

Akamai Technologies Inc.

who specializes in the videogame market.

High turnover of staff in the videogame industry, where entire teams can be hired for contract work or laid off after a project is completed, means that managing user access to sensitive systems can be challenging, said

Eric Milam,

vice president of research and intelligence at technology company

BlackBerry Ltd.

That increases the risk that accounts with access to sensitive data may remain open, or that disgruntled former employees may present insider risks, Mr. Milam said. “Just because they let those people go doesn’t mean those people forget about how to access certain things,” he said.

Hackers could sell source code or use it to launch attacks in a number of ways, according to researchers. For instance, by tapping into the core functions of a game, hackers could build tools that let them pose as support staff and then send phishing email to gamers to gain access to accounts to exploit or sell on the darknet, said

Hank Schless,

a senior manager at cybersecurity company Lookout Inc.

Additionally, alternate versions of games containing malware could be distributed to gamers, Mr. Schless said. Popular app stores such as

Alphabet Inc.’s

Google Play and

Apple Inc.’s

iOS App Store have strong protections, but such impostor versions of games could sell on third-party platforms with weaker oversight, he said.

Criminals may also be able to develop tools that wreak havoc on games, Mr. Ragan said. “If you’re in the market for selling cheats and cracks for a certain game, the source code is going to help you identify ways to bypass protections. That’s the really big fear,” he said.

While cheating disrupts enjoyment from gaming, it also puts growing revenue from esports at risk if sophisticated tools become widespread.

Gaming research company Newzoo International B.V. estimated in March that revenue from the esports market will top $1 billion in 2021 for the first time, with a global audience of 474 million people. The videogame industry as a whole generated revenue in excess of movies and U.S. sports combined in 2020, according to estimates from market research company International Data Corp.

Ongoing updates, subscriptions and in-game economies, known as live services, also provide a lucrative source of revenue for games far beyond their initial sale value, and could be vulnerable to hackers through attacks on gamers or attacks engineered by analyzing a game’s source code.

EA’s live services accounted for 71% of its net revenue, at just over $4.01 billion, in its 2021 fiscal year, according to regulatory filings. Around $1.62 billion of that came from FIFA’s Ultimate Team mode.

EA’s spokeswoman said the company doesn’t expect the recent attack to have a material impact on its games or business.

Write to James Rundle at [email protected]

Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8

in Tech
Related Posts

Apple’s Big Show May Not Be Enough

June 4, 2021

June 4, 2021

As Apple Inc. AAPL 1.10% looks to rally its base, the fate of the company’s lucrative ecosystem has never been...

Colonial Pipeline Chief to Testify in Senate Panel on Ransomware Hack

June 8, 2021

June 8, 2021

WASHINGTON—The chief executive of the pipeline company hit in a multimillion-dollar ransomware attack last month is expected to testify Tuesday...

The Ruthless Hackers Behind Ransomware Attacks on U.S. Hospitals: ‘They Do Not Care’

June 10, 2021

June 10, 2021

A ransomware attack on a national hospital chain nearly brought Las Vegas hospitals to their knees. Another attack in Oregon...

Online Brands Try New—and Old—Ways to Stand Out to Shoppers

June 17, 2021

June 17, 2021

Selling things online is easier than ever. Standing out to shoppers is getting harder. Kevin Stecko has spent more than...

Colonial Pipeline CEO Tells Why He Paid Hackers a $4.4 Million Ransom

May 19, 2021

May 19, 2021

The operator of the Colonial Pipeline learned it was in trouble at daybreak on May 7, when an employee found...

Hackers Stole $650,000 From Nonprofit and Got Away, Showing Limits to Law Enforcement’s Reach

June 7, 2021

June 7, 2021

Just before Christmas 2020, hackers began to steal from One Treasure Island, a nonprofit that is redeveloping its namesake island...

Chip Shortages Are Starting to Hit Consumers. Higher Prices Are Likely.

June 21, 2021

June 21, 2021

The global chip shortage is pushing up prices of items such as laptops and printers and is threatening to do...

Investors Clamor for a Bigger Piece of Payments Company Stripe

June 14, 2021

June 14, 2021

Stripe Inc. has yet to go public, but investors are still craving a piece of it. The company, which processes...

BuzzFeed Reaches Deal to Go Public Via SPAC, Acquire Complex Networks

June 24, 2021

June 24, 2021

BuzzFeed Inc. said Thursday it has reached a deal to go public through a merger with a special-purpose acquisition company,...

Chinese Astronauts Sent Into Orbit to Staff Space Station

June 17, 2021

June 17, 2021

HONG KONG—Thirteen years after former fighter pilot Liu Boming participated in China’s first spacewalk, the 54-year-old astronaut was sent into...

Microsoft Earnings Jump as Cloud Services Thrive

October 26, 2021

October 26, 2021

Microsoft Corp. MSFT 0.64% continued to benefit from the global shift toward remote work as its cloud business boosted its...

Your NFT Sold for $69 Million—Now What? Beeple Turns to a New Project, and Old Masters.

June 24, 2021

June 24, 2021

Now, Mr. Winkelmann is opening up, revealing that he’s had a rocky entrée into the art establishment even though he...

Food Giant ADM Bolsters Its Defense Against Hacks, CEO Says

June 24, 2021

June 24, 2021

Agriculture company Archer Daniels Midland Co. ADM 0.70% is shoring up defenses against what it views as inevitable cyberattacks, its...

Trump Considers Contenders to Be His New Social-Media Outlet After Big Tech Crackdown

May 14, 2021

May 14, 2021

Donald Trump, sidelined by Twitter Inc. and Facebook Inc., has been talking with numerous platforms as he seeks a new...

Blink Charging Taps Cash Pile in Electric Car Bet

May 27, 2021

May 27, 2021

Blink Charging Co. is using cash acquired in a recent stock offering to expand its network of charging stations ahead...