A hot topic of conversation right now concerns the February hack of Cyberpunk 2077 developer CD Projekt Red. The hacker gained access to source code for games like The Witcher 3, along with internal company documents. 

Recently, a report from Bloomberg states that due to the hack, employees have been locked out of their workstations for two weeks, resulting in the delay of Patch 1.2 for Cyberpunk 2077.

And while the CD Projekt Red hack is substantial in the amount of damage it has caused, it’s not the only company to have suffered from hacking attempts. 

It may not be the last, either.

CD Projekt Red Hack Could Be Part of a Much Bigger Problem

In a January 2021 report from KELA entitled “Darknet Threat Actors Are Not Playing Games with the Industry” it was revealed that more than 500,000 leaked credentials connected to employees in the gaming industry had been detected. 

The credentials include “high-profile email addresses such as senior employees and email addresses which are generally a significant channel in the company – invoice, purchasing, admin, HR-related emails, support and marketing.” 

This in and of itself is concerning, as these leaked credentials create a number of potential vulnerabilities for hackers to exploit. KELA also mentions that, “All these threats, altogether or separately, can be used in an attack chain aimed to compromise organizations.” 

It’s currently unclear whether these leaked credentials link to CD Projekt Red’s hack in any way. However, the timeline between KELA’s report in January and CD Projekt Red’s hack in February is interesting to say the least. 

Adding to this, KELA noted the following:

  • KELA observed multiple instances of supply and demand for initial network access of gaming companies (especially their resources designed for developers).

  • KELA found nearly 1 million compromised accounts pertaining to gaming clients and employees, with 50% of them offered for sale during 2020.

The mention of “resources designed for developers” and the knowledge that source code was stolen from CD Projekt Red, and then sold online, is uncanny. Connecting CD Projekt Red's hack to KELA's report even further, KELA notes that:

“For the past two months, we’ve observed several different actors looking for access to networks of gaming companies.” 

KELA goes on to report on a few instances where hackers were successful in their attempts, most notably a hack on Koei Tecmo back in December which was later disclosed by the company after hackers posted the data they'd stolen on a forum for free, giving a larger number of people access to it.

“The listing included FTP credentials – in this instance it does not necessarily indicate a network access, rather it provides an access point into the company’s environment,” KELA writes.

Koei Tecmo and CD Projekt Red aren’t alone, as resources for “25 major gaming companies” were detected by KELA during their monitoring of underground markets over the last 2.5 years. 

“KELA has been monitoring the major underground markets of this type for over 2.5 years and has tracked nearly 1 million compromised accounts of employee- and client-facing resources of the 25 major gaming companies in question – with half of them being listed for sale in 2020 alone.

It’s important to note that we detected compromised accounts to internal resources of nearly every company in question. These resources are meant to be used by employees, for example – Admin panels, VPNs, Jira instances, FTPs, SSOs, dev-related environments, and the list goes on and on.”

KELA didn't provide names for these 25 gaming companies, but we wouldn't be surprised if CD Projekt Red was among them. 

Delving even further into the connections between KELA’s report and CD Projekt Red’s hack, KELA remarks the following: 

“The potential attacker needs to explore them and proceed with ones that look “interesting” – meaning they enable access to a network of a large company with significant revenue (and probably from a sector willing to pay ransom – government organizations, for instance, usually do not negotiate with ransomware operators). Finally, the actor will attempt to escalate privileges or install further tools in order to gain initial access."

Again, the mention of a ransom fits with the note left for CD Projekt Red.

And in reading all of this, we want to take a moment to point out the severity of the implications of KELA’s report. Right now, the focus is largely on CD Projekt Red and the narrative seems to pin the hack as a CD Projekt Red problem.

If resources for 25 major gaming companies have been leaked per KELA’s data, they all risk suffering the same fate as CD Projekt Red (or a less substantial hack like the one on Koei Tecmo). We wouldn’t be surprised to hear that hacking attempts on some of these major gaming companies have already been made over the last few months.

While we may not hear about unsuccessful hacking attempts the same way we hear about hacks like the one on CD Projekt Red, it doesn’t mean they aren’t happening. 

And that’s a problem.

KELA’s report and CD Projekt Red’s hack should serve as a serious warning for gaming companies to invest more in cyber security. Speaking of which, KELA has a few tips on combating cyber security threats. The tip that stands out the most, and connects to what KELA has been at large, is this:

“As the gaming industry continues to grow in revenue, we will likely continue to detect more threats and attacks targeting the online gaming industry.

With constant monitoring of their assets’ exposure in the darknet, these organizations can proactively detect threats and map out their risk in order to foresee potential weaknesses in their environment.

Speaking on a personal level for a moment, I hope that CD Projekt Red is able to fully recover from the hack. The fact that employees are suffering as a result of something they had no control over is awful, and I feel terrible reading reports from Bloomberg about what employees are having to deal with right now.

I also don't want this piece to sound like I'm placing any blame on CD Projekt Red for the hack in regards to cyber security. My goal in writing this piece is to ensure that other companies don't end up in the same predicament. This isn't an issue that impacts CD Projekt Red alone, it impacts the entire industry. 

The effects of a successful hack, as seen with CD Projekt Red, can be absolutely devastating and I am appreciative of KELA's report as it helps give companies crucial information that can be used to protect themselves in the future.