CD Projekt Red confirmed that employee and game-related data appears to be floating around the cyber-underground, four months after a hack on the Witcher and Cyberpunk 2077 developer.
New data from the February hack of CD Projekt Red, the videogame-development company behind Cyberpunk 2077 and the Witcher series, is circulating online.
Earlier this year, the company suffered a ransomware attack in which a cyberattack group (believed by some to be the HelloKitty gang) “gained access to our internal network, collected certain data belonging to CD PROJEKT Capital Group and left a ransom note,” the company said at the time.
The ransomware also encrypted the company’s systems, but CD Projekt Red was able to restore everything from backup – leaving the real issue to be the stolen data.
Ransomware gangs have doubled down on the increasingly common “double-extortion” threat, saying they will auction stolen data if victims don’t pay. Many also maintain “name and shame” blogs – used by operators to post leaked data from victims that refused to send over a ransom.
And indeed, in the CD Projekt Red ransom note (also tweeted out), the cybercriminals said that they had “dumped full copies” of the source code for Cyberpunk 2077, Gwent, the Witcher 3 and an “unreleased version” of the Witcher 3; and, stolen sensitive corporate information relating to accounting, administration, HR, investor relations, legal and more.
“Source codes will be sold or leaked online, and your documents will be sent to our contacts in gaming journalism,” according to the note, which went on to say that not paying up has an impact to the company’s public image, stock price and investor confidence. The attackers claimed that the information will expose how terribly the company is run.
Now, four months later, the crooks seem to be making good on their promise regarding the information. In an update posted late Thursday, CD Projekt Red said that its security staff “now have reason to believe that internal data illegally obtained during the attack is currently being circulated on the internet.”
It added that it’s in the process of clarifying just which data is being circulated, “though we believe it may include current/former employee and contractor details in addition to data related to our games. Furthermore, we cannot confirm whether or not the data involved may have been manipulated or tampered with following the breach.”
— CD PROJEKT RED (@CDPROJEKTRED) June 10, 2021
The company added, “regardless of the authenticity of the data being circulated — we will do everything in our power to protect the privacy of our employees, as well as all other involved parties. We are committed and prepared to take action against parties sharing the data in question.”
“Following the updated ransomware playbook of ‘breach, extract, encrypt, offer,’ this incident is no different,” Dirk Schrader, global vice president of security research at New Net Technologies (NNT), told Threatpost. However, he added, “It was some sort of luck on CD Projekt Red’s side that – as far as we know – no customer data was involved, because if so the story would have evolved in very different ways.”
Source Code Was Previously Auctioned
It should be noted that ransomware gang seemingly previously made good on its promise to auction off the company’s data, when source code for Cyberpunk 2077 and the aforementioned unreleased version of the Witcher 3 was purportedly put up for sale in February on the well-known Russian-language underground forum “Exploit.”
The lot was sold a day later, and while cyber-researchers confirmed the auction’s existence, they were unable to verify the amount it sold for, or the veracity of what was being sold. The auction asked for $1 million opening bids.
“Digital Shadows has seen several attempts to either sell or expose data related to CD Projekt Red since February, with unconfirmed actors first trying to auction game and other internal company data on a well-known Russian language forum,” Sean Nikkel, senior cyber-threat intel analyst at Digital Shadows, told Threatpost. “Most recently, threat actors released just over 300GB of data allegedly belonging to CD Projekt Red on the Payload.bin data leak site, which is a Dark Web site associated with Babuk Locker ransomware.”
Release of the source code would allow fans to develop game hacks and perform all kinds of “modding” (i.e., development of custom features) and jailbreaks; and would be a gift to competitors.
And, “if the attackers were able to exfiltrate source code for the popular Cyberpunk 2077 and Witcher games it could lead to more targeted exploit development aimed at a widespread player base,” said Chris Clements, vice president of solutions architecture at Cerberus Sentinel said at the time.
However, the lack of confirmation on the part of CD Projekt Red that its data was indeed being sold across the incidents could indicate they were Dark Web scams, NNT’s Schrader said.
“Now that the data is circulating, previous claims that the attacker have sold it already don’t seem plausible,” he noted.
Download our exclusive FREE Threatpost Insider eBook, “2021: The Evolution of Ransomware,” to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and DOWNLOAD the eBook now – on us!