In what could have been the dystopian future envisioned by sci-fi author William Gibson or just another bad day for CD Projekt Red, the company was hit with a 48-hour ransom demand by an undetermined hacking group.
The group claimed to have dumped full copies of the source code for the company's Cyberpunk 2077 server and other important games.
The note, which the company made public, also claimed to have exposed all of the Polish-based company’s documents relating to accounting, administration, legal, HR and investor relations. The attackers said if CD Projekt Red did not agree to its demands, they would sell or leak the company’s source code online and would send all documents to the threat actor’s contacts in gaming journalism.
This latest incident was one in a long stream of bad news days for the company and its Cyberpunk 2077 game, which has had one of the more troubled launches in gaming history. Once it started shipping in early December 2020, gamers complained it needed dozens of updates to work properly and many had issues running it on Microsoft’s Xbox. Microsoft finally issued a performance warning on Cyberpunk 2077 late last year and Sony went so far as to pull it from the PlayStation store. One of the leading investors also filed a class-action lawsuit at the end of 2020.
On top of all the bad news, William Gibson, who, in his novel Neuromancer, coined the phrase cyberspace and established the Cyberpunk genre, panned the game as well when it came out, calling it “mediocre at best.”
CD Projekt Red responded by admitting they were hit with the ransomware and that some of its internal systems and “certain” data were compromised. The company said some devices in its network were encrypted but the company’s backups remain intact. It also said the compromised systems did not contain any personal data of its players or users of its services.
Company officials said they had been in touch with law enforcement authorities and the president of the Personal Data Protection Office in Poland. CD Projekt Red does not intend to meet the demands of the hackers.
So who did it?
The high-profile hack left security researchers debating whether the culprit was an organized ransomware gang, a disgruntled insider or an angry gamer.
“The amount of people who are thinking this was done by a disgruntled gamer is laughable,” tweeted Fabian Woser, a well-known ransomware expert and CTO of Emsisoft. “Judging by the ransom note that was shared, this was done by a ransomware group we track as ‘HelloKitty.’ This has nothing to do with disgruntled gamers and is just your average ransomware.”
Chad Anderson, senior security researcher at DomainTools, said given the reports of a toxic work environment at CD Projekt Red, it could have been an insider threat. It's not uncommon, he said, for ransomware actors to find their way inside of a company through a disgruntled employee or for the ‘hack’ itself to come from someone inside.
“If I had to stack rank the possibilities in this situation, I’d bet first on a disgruntled employee being involved, second on a ransomware operator acting alone, and finally on a disgruntled gamer,” Anderson said. “And really if I had the option I’d choose not to bet on the disgruntled gamer at all. Spending days breaking into a company’s servers, exfiltrating large source code repositories, then running a ransomware operation just doesn’t fall in line with the mad gamer narrative. Too much work involved.”
For many organizations, the financial and data loss is only one part of the equation, said Javvad Malik, security awareness advocate at KnowBe4, who contends the reputational loss of such attacks cannot be underestimated.
“For example, in November, Sydney-based hedge fund Levitas Capital saw over $8 million stolen, and while it could recover the majority of the money, the reputational impact caused its biggest investors to withdraw their money, forcing the hedge fund to close down,” Malik said. “While some large organizations can withstand any potential backlash from customers or the stock market, it is a high risk."
Even with all the bad news, CD Projekt Red’s stock ended Tuesday at $18.65 a share, down just 4.19 percent.