Another major video game developer and publisher suffered a cyberattack would have resulted in the exfiltration of more than three quarters of a terabyte of data. The exfiltrated data would include source code, software development kits and game engines. The news indicate that threat actors gained access to the system through Slack channels, stolen authentication cookies, and (apparently) a well-executed spear phishing attack to secure multi-factor authentication tokens. Simultaneously, other recent reports have described malware hiding in gaming platforms via profile picturesto like malware injection via website favicons.
Meanwhile, esports has become big business and mainstream, with huge amounts of data and large capital transactions. A League of Legends tournament was featured in the Netflix documentary 7 daysand Sports IllustratedThe July 2021 cover story was about an esports team. Even the Olympics would be considering including esports.
The combination of threat actors turning to the gaming industry and the rise of esports indicates how important it is for the industry and esports platforms and leagues to increase their awareness of cybersecurity. As with other technological developments, the risk is always present for the individual, in his home, for his personal computing devices and for his financial accounts. In their current state, the industry and esports present attractive targets for cyber threat actors. Here are some examples of areas that require special attention.
First, attackers can search for information on player or subscriber accounts. Many games today, from MMORPGs and web3-based platforms to sports and real-time strategy games, and everything in between, include online play or DLC components. For these, the publisher can collect significant amounts of actor information, information that has significant market value for marketers. and threat actors, such as payment information, geolocation, cryptographic addresses, or other personal information useful for phishing and other social engineering attacks against individuals and their employers. Recent reports regarding the posting of social media profiles on websites for use in social engineering attacks highlight this risk.
Second, attackers could seek to use video games to deploy and execute malicious code. As seen with the methodology behind the 2020 SUNBURST attack, insecure video games could be an attack vector for threat actors through the injection of malicious code. For video games that run on personal computers or smartphones, the malicious code can be used to access non-game related data stored on the device once the malicious code gains access to the device through a local execution. (Given the graphical requirements, it may be difficult to run the game in a Sandbox.) The profile pictures reported in gaming platform malware appears to contain code trying to see if a particular enterprise communication platform is installed; a malicious actor may seek to gain access to confidential business information exchanged using this platform and stored on the local device.
Games offered only to play on a dedicated gaming device can still remain attractive targets. Attackers may seek to infect the device with botnet code to execute attacks on other devices or computers. Or the malware could open a backdoor into a closed network by running inside the firewall and modem on a home network and delivering payloads to other devices on the local network, including computers and smartphones, without the additional defenses of execution outside the local network. .
Third, attackers could discover vulnerabilities to exploit in the league’s esports game. As with any game or sport, it is important to the success of the franchise that the playing field is considered fair and clean and free from corruption. E-sports already have anti-doping programs. If an esports team could gain access to source code or game engines, by accessing stolen source codes or game engines, they might be able to develop unknown tactics to exploit in-game logic errors This should be expected; it happens in all sports. Baseball has a long history of sign theft and modify Game gearand soccer teams have been accused of manipulating the playing surface or adjusting the air pressure in the balloon. The continued growth of esports requires ensuring that confidential source code and game engines are not used to exploit errors in league play. Likewise, with the growing popularity of online gambling, exploitation of vulnerabilities discovered in cybersecurity incidents could be used for match-fixing. Exfiltrated exploits and match-fixing could impact the development and growth of esports.
Fourth, a large-scale esports event can be a valuable target for a disruptive attack, such as malware. If an esports league’s systems were disrupted by ransomware on the eve of the finals, the league could face higher pressure to quickly pay the ransom so the finals could go ahead. It’s possible that esports leagues (or teams) are seen as better targets because, unlike hospitals and othersthreat actors may view esports as apolitical and unlikely to violate so-called “codes of conduct.” Esports is not (yet) like football or other sports with national teams that can deter threat actors affiliated with the nation-state from interfering.
In short, the gaming industry and esports present attractive targets for threat actors for many reasons. Backbone participants should take cybersecurity concerns seriously, and each should ensure that they have a strong and established security and compliance program to reduce and mitigate potential risks and vulnerabilities.