With COVID-19 shutting down many popular forms of entertainment, millions of consumers stuck at home have increasingly turned to video games to stave off cabin fever, making the gaming industry an even more alluring target than usual for cybercriminals.
Indeed, a recent string of high-profile cyberattacks against prominent game developers such as Ubisoft, Capcom and WildWorks has reminded the industry that the threat has far from dissipated.
“Gaming companies are great targets for ad fraud, credential fraud, bots or distribution of malware through Trojan horse games,” said Robert Gates, threat intelligence analyst with IBM Security X-Force. At the same time, he added, gaming’s increasing share of media and entertainment dollars will make it a continued target for ransomware. In October, S&P Global Market Intelligence reported that the second quarter of 2020 was a boon for gaming platform providers like Nintendo, which shipped 5.7 million units during that period, and Microsoft, which doubled its year-over-year Xbox shipments.
So far, experts don’t believe this recent flurry of malicious activity against gaming companies is particularly unusual or an indicator of a new trend, nor do most of the incidents appear connected. But it does show that threats against gaming companies can come in many forms – and markets that succeed or fail on intellectual property or an “always on” business model continue to be attractive targets.
Ransomware & digital extortion
In October, the Egregor ransomware gang publicly leaked data that was apparently stolen from game-makers Ubisoft (France-based developer of Assassin’s Creed and Far Cry) and Crytek (Germany-based developer of Crysis and Warface). Reportedly, the culprits encrypted Crytek’s files and swiped documents from its game development division. They are also threatening to release the source code to Ubisoft’s eagerly anticipated title Watch Dogs: Legion – a game, ironically, that’s all about hackers.
The Egregor gang’s claim that it is in possession of Ubisoft’s source code has not been verified, but if true, that could spell trouble for the developer.
“The IP can be highly valuable to hold hostage because of its substantial core value to the gaming company and tremendous expense – creative time, substantial development, cloud infrastructure upgrades,” said Gates, who said it makes strategic sense for attackers to strike around the release of a major title such as Watch Dogs.
“Individual releases… attract new users and media attention, which could be undercut by a leak,” Gates continued. “All of this is to create pressure for the company to meet the ransom demand. The adversaries are counting on the company to weigh the cost of the game leaking and thereby losing potential revenue versus paying the ransom demand.”
If Ubisoft doesn’t pay up and the adversaries leak everything, “there are two main ways in which source code can be used maliciously,” said Renee Gittins, executive director at the International Game Developers Association (IGDA). “The first way is by using the source code to identify weaknesses and modifications that can be made, often to give a player an unfair advantage in online games or to attempt to affect users or their data through the game’s systems. The second method is using the source code to build the game itself, which can then be hosted for free downloads, which may undercut sales.”
In a statement provided to SC Media, Ubisoft said in reference to the Egregor gang: “We are aware on the group’s claim and are currently investigating a potential data security incident.”
User Data Theft
While stealing IP can be debilitating to a company, attackers can also inflict plenty of damage simply by stealing user data for the purpose of selling credentials and PII to enable account takeovers, credential stuffing attacks and phishing schemes.
“More and more games are featuring in-game transactions; thus, user accounts with valuable assets like in-game currencies are interesting targets,” said Mathieu Tartare, malware researcher at ESET.
On Nov. 4, Capcom, the company behind MegaMan, Resident Evil and Devil May Cry, disclosed in a notification that, due to an unauthorized intrusion, its networks “experienced issues that affected access to certain systems, including email and file servers.” The Japanese developer, which responded by temporary shutting down some of its internal operations, said that so far there is “no indication that any customer information was breached.”
Other companies haven’t been so lucky. Just this week, WildWorks, the Utah-based developer of the popular educational gaming website Animal Jam, disclosed an attack in which adversaries reportedly broke into a company Slack workspace and obtained an AWS key to access a database of 46 million customer accounts, which was subsequently uploaded onto a cybercriminal forum. (In a statement, a Slack spokesperson noted that the hack was achieve via “compromised WildWorks user credentials,” adding, There has been no breach to Slack’s infrastructure. This may have been the result of malware or the re-use of credentials previously exposed.”
Stolen information includes email addresses, usernames, passwords and other personal information. While the passwords were encrypted, weak passwords could be vulnerable.
“User credentials are easily monetized by attackers in dark web marketplaces. These user accounts may provide access to a treasure trove of information such as PII, CC payment details, and in-game currency,” said Gates.
The Animal Jam incident is especially sensitive because the hack endangers gamer accounts and perhaps email accounts used by children, even if these accounts were originally registered by the users’ parents.
“Although Animal Jam has stated that as a precaution all users will be required to reset their password on the next login, parents of children who play Animal Jam should ensure the safety of their children by updating [their] email addresses if possible and, if not, monitoring their children’s internet usage, including any emails received,” advised Andreas Theodorou, digital privacy expert at ProPrivacy.
Another longstanding threat to gaming platforms is the DDoS attack, which can disrupt online performance, perhaps just for the “lulz” or in more sinister cases for blackmail purposes. No doubt gamers remember when the Lizard Squad hacking group claimed responsibility for hacking the Xbox and PlayStation networks in the Christmas of 2014, much to the disappointment of users who were hoping to try out their newly gifted systems or games.
Attackers “have consistently targeted companies that need to always ‘be on,’ such as hospitals or local governments,” said Gates. For that reason, “companies that operate games 24×7 are great targets. Downtime for a company could lead to hemorrhaging of in-game revenue and customers to other platforms… Shutting down a game for a few hours or days could lead to customers going to other games and waste customer acquisition costs.”
Of all the industries represented in Akamai Technologies’ customer base, the gaming sector is the one most commonly targeted by DDoS attacks, according to a 2020 State of the Internet / Security report that Akamai issued last September. Between July 2018 and June 2020, the company observed over 152 million web application attacks in the gaming industry, and from July 2019 through June 2020, Akamai witnessed 3,072 DDoS attacks targeting the gaming industry.
“DDoS attacks are extremely common within the game industry and some of the most publicized attacks due to the size and timing of their targets,” said Gittins. Fortunately, “players have become increasingly understanding of services being down to such attacks.”
Among the most stealth malicious campaigns against video game companies are supply-chain attacks in which malicious actors compromise developers’ networks and then sabotage games with malware that can infect gamers’ machines.
“Trojanizing a video game is an efficient way of compromising thousands of players around the world. For example, the Winnti Group trojanized several videogames to mine cryptocurrencies and spy on players,” said Tartare, referring to a reputed Chinese APT group that has targeted gaming companies in South Korea and Taiwan that specialize in massively multiplayer online games found on popular gaming platforms.
Experts offered their thoughts on how members of the gaming industry can better protect themselves against the above threats, and how to respond to attacks when they do occur.
“The methods for protecting game development teams from such attacks are similar to any development team’s, and the biggest risk is the same as well: social engineering,” said Gittins. “All employees should be trained on proper pipelines and protocols to ensure the safety of data and technology.”
As for ransomware attacks, “It is our general recommendation that developers not pay extortion demands, as this does not guarantee protection and merely encourages this behavior,” she added.
Tartare similarly recommended training, as well as installing an antivirus solution, and ensuring that adequate backup and recovery plans are in place.