Hackers hit CD Projekt Red, steal data, ask for ransom

Polish game developer CD Projekt Red has been hit by hackers, who breached its internal network, stole data, encrypted some devices, and asked for a ransom to not sell of leak online sensitive company documents and the source code of some of their more popular games.

The company discovered the breach on Monday and announced on Tuesday that they won’t be paying the ransom.

What happened and what now?

The company categorized the attack as targeted, and admitted that the attacker managed to access the company’s internal network and “collected certain data belonging to CD PROJEKT capital group.”

“Although some devices in out network have been encrypted, our backups remain intact. We have already secured out IT infrastructure and begun restoring the data,” the company noted.

“We will not give in to the demands nor negotiate with the actor, being aware that this may eventually lead to the release of the compromised data. We are taking necessary steps to mitigate the consequences of such a release, in particular by approaching any parties that may be affected due to the breach.”

They have notified local law enforcement and the national data protection authority in Poland about the breach, and have called in IT forensic specialists to investigate. For the moment, it seems that no personal player or user data has been compromised.

In the ransom note, the attackers claim to have exfiltrated the source code for Cyberpunk 2077, Witcher 3, Gwent and the unreleased version of Witcher 3, as well as documents related to accounting, administration, legal, HR, investor relations, and more.

Industry comments

This is not the first time CD Projekt Red was hit by hackers – it happened also in June 2017, when the attackers stole internal files and documents connected to early designs for the (then upcoming and long-awaited) Cyberpunk 2077 game, and threatened to publish them if the company did not pay a ransom.

That particular game was released with great fanfare in December 2020, but has been plagued by bugs and performance issues.

Bert Steppé, a researcher at F-Secure’s Tactical Defence Unit, posited that the real motivation of this latest attack is extortion, but also damaging the company’s image.

“Since the attacker’s note doesn’t look too ‘professional’, maybe it’s just an angry gamer disappointed with the Cyberpunk 2077 game?” he added.

Antti Tuomi, Principal Security Consultant at F-Secure, noted that the difficult aspect about the data being breached is that, once it has been copied, there is no reliable way to ever ensure it won’t be published and all copies deleted even if the victim pays the ransom.

“CDPR is doing the right thing both for themselves and their customers by acknowledging the issue and its impact as well as informing everyone about what was affected and whether individuals should be worried about their data. Also, not agreeing to pay the ransom, even if it did cause their unreleased game source and assets to be leaked, is commendable,” he pointed out.

Iain Chidgey, VP EMEA at Sumo Logic – a company that works with game developers like SEGA Europe and The Pokemon Company – said that based on the ransom noted shared by CD Projekt Red, this appears to be an attack on the company’s software development process that led to the hackers getting in.

“Finding a tool that is not secured properly and then using lateral movement within the network to launch ransomware has become a more common approach for hackers, as it does lead to ransom payments. However, the note may not be telling the truth, and the issue may be elsewhere,” he said.

“Securing the whole software supply chain is a higher priority for companies of all kinds these days after the Solarwinds attack in late 2020. For companies where code is their product, this is even more important to get right. Putting strong observability processes in place can help in these circumstances to show where things are out of the ordinary.

“For games developers and publishers, protecting their operations involves securing game assets and IP alongside the cloud instances and services running the games instances. For the biggest games, the data volumes coming from players in the cloud leads to this being a machine readable problem and no longer a human readable issue. If we are able to observe our software supply chains and all the data loads created by online gaming instances over time, we can be more secure.”