Gamers have struggled for years with hackers who cheat and take over accounts. Now, videogame studios are coming under serious attack, prompting them to step up their cyber defenses.
Electronic Arts Inc.
said Thursday it was breached by hackers recently, confirming an earlier report by technology news outlet Motherboard. That followed a disclosure by Polish game developer CD Projekt SA in February of a ransomware attack and a similar invasion of systems at
Capcom Co.
Ltd. last November.
Each attack involved data theft, with schedules for coming Capcom releases posted on darknet forums for games including Resident Evil Village and Street Fighter.
Hackers claim to have pilfered the source code for popular games such as EA’s FIFA series and CD Projekt’s Cyberpunk 2077, and the libraries of code and digital assets known as game engines used to create them.
Rather than demanding ransom to not publish the source code, the hackers have instead said they would auction it on the darknet.
“When you have the keys to the kingdom, and you understand how the code is being written and how the applications are being used, that’s obviously more visibility than I think anybody would want,” said
Mark Ostrowski,
head of engineering at
Check Point Software Technologies Ltd.
, a cybersecurity provider that has worked with videogame companies on their security, including EA.
In response to the ransomware attack, CD Projekt said in a statement on June 10 that it redesigned its core information-technology infrastructure, upgraded firewalls, expanded its internal security team and engaged third-party specialists to assist with cybersecurity. A spokeswoman for the company didn’t respond to a request for comment.
A spokeswoman for EA said the company lost a limited amount of game source code and related tools during its attack, and it doesn’t believe player data was at risk. EA has a full-time internal penetration testing team in place, she said, and is following best practices such as those outlined in President Biden’s May 12 executive order on cybersecurity.
Capcom said in an April 13 report that it had upgraded its technology and created a committee to oversee cybersecurity. A spokeswoman for Capcom referred queries on the attack to the company’s report.
Videogame studios, however, face a number of challenges unique to their industry. The need to consistently stream large volumes of data into and from servers, which power online gaming, means security tools are often customized for a studio.
Additionally, the digital nature of prized assets, such as source code, means that were a hacker to break in, crucial intellectual property can be targeted and stolen.
“There’s not a single gaming company out there that does not focus on asset protection in some way,” said
Steve Ragan,
a security researcher at cybersecurity company
Akamai Technologies Inc.
who specializes in the videogame market.
High turnover of staff in the videogame industry, where entire teams can be hired for contract work or laid off after a project is completed, means that managing user access to sensitive systems can be challenging, said
Eric Milam,
vice president of research and intelligence at technology company
BlackBerry Ltd.
That increases the risk that accounts with access to sensitive data may remain open, or that disgruntled former employees may present insider risks, Mr. Milam said. “Just because they let those people go doesn’t mean those people forget about how to access certain things,” he said.
Hackers could sell source code or use it to launch attacks in a number of ways, according to researchers. For instance, by tapping into the core functions of a game, hackers could build tools that let them pose as support staff and then send phishing email to gamers to gain access to accounts to exploit or sell on the darknet, said
Hank Schless,
a senior manager at cybersecurity company Lookout Inc.
Additionally, alternate versions of games containing malware could be distributed to gamers, Mr. Schless said. Popular app stores such as
Alphabet Inc.’s
Google Play and
Apple Inc.’s
iOS App Store have strong protections, but such impostor versions of games could sell on third-party platforms with weaker oversight, he said.
Criminals may also be able to develop tools that wreak havoc on games, Mr. Ragan said. “If you’re in the market for selling cheats and cracks for a certain game, the source code is going to help you identify ways to bypass protections. That’s the really big fear,” he said.
While cheating disrupts enjoyment from gaming, it also puts growing revenue from esports at risk if sophisticated tools become widespread.
Gaming research company Newzoo International B.V. estimated in March that revenue from the esports market will top $1 billion in 2021 for the first time, with a global audience of 474 million people. The videogame industry as a whole generated revenue in excess of movies and U.S. sports combined in 2020, according to estimates from market research company International Data Corp.
Ongoing updates, subscriptions and in-game economies, known as live services, also provide a lucrative source of revenue for games far beyond their initial sale value, and could be vulnerable to hackers through attacks on gamers or attacks engineered by analyzing a game’s source code.
EA’s live services accounted for 71% of its net revenue, at just over $4.01 billion, in its 2021 fiscal year, according to regulatory filings. Around $1.62 billion of that came from FIFA’s Ultimate Team mode.
EA’s spokeswoman said the company doesn’t expect the recent attack to have a material impact on its games or business.
Write to James Rundle at james.rundle@wsj.com
Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8