Combining Cybersecurity with Gaming: Cheats, Insider Threats, Ransomware, and More

October 17, 2022

The video game industry has grown considerably since its introduction in the early 1970s, with analysts believing the market to be worth $321 billion by 2026. As such, the gaming industry faces a wide range of cyber and even physical threats as malicious actors are attracted by rising profits. Whether it be in the form of vulnerabilities, account takeovers, distributed denial-of-service (DDoS) attacks, software piracy, or in-game cheats and hacks—recent events like the Grand Theft Auto 6 data breach show that gaming companies can find themselves in the crosshairs of sophisticated cybercrime gangs and other malicious actors.

The gaming industry, as well as its customers, face the following threats:

  1. In-game cheats, hacks, and modifications (mods)
  2. Insider threats
  3. Software piracy
  4. Account takeovers and compromised credentials
  5. Ransomware
  6. Malware and vulnerabilities
  7. Distributed Denial of Service Attacks (DDoS)
  8. Radicalization and extremism

Understanding the dangers of in-game cheats and hacks

The most common threats are in-game hacks, cheats, and modifications (mods)—which allows users to modify certain elements of the game. However, for those unfamiliar with gaming, they can be the most difficult to understand. 

So what if an individual cheats in a video game? How is that significant, or dangerous to organizations within the space? If unaddressed, rampant hacking or cheating could severely impact the bottom line of gaming companies, as well as introduce the potential for insider threats.

Threat actors sell a number of goods and services to modify, or enhance gaming experiences, usually at the expense of other rule-abiding players. Cheats perform a wide range of actions depending on the genre, but they usually come in the form of automatic aiming (aimbots) or “stat boosts” which increase a player’s in-game abilities. This often breaks the terms of service agreement, and are generally sold on illicit marketplaces and chat services.

To fully understand their impact, it is important to have a grasp of the industry’s go-to market strategy. Unlike most retail-focused environments, success in the gaming industry is not solely represented by the number of units sold. While popular titles do sell millions of copies, the vast majority of revenue comes from the adoption of a Games-as-a-Service (GaaS) model, otherwise known as live service gaming.

In this model, most earnings come from players purchasing in-game items or other downloadable content. And since GaaS titles are often “free” to download, the success of these games depends on an active player base that is willing to participate in microtransactions. As such, video game hacks and cheats can create discontent within the community, leading to them abandoning these titles in favor of more balanced experiences. This means big trouble for developers given the high costs of game development and other overhead costs.

Possible insider threats

In addition, in-game cheat and hacking services also opens the organization to possible insider threats. Many cheat developers are, or were at one point legitimate game developers who now make cheats for financial gain. And depending on their level of expertise or authority, they could have access to a game’s source code, or have intimate knowledge of the company’s systems helping them develop services that circumvent a game’s anti-cheat functions.

Several threat actors are alleged to create original games while moonlighting on illicit forums with their projects appearing on common distribution channels like Steam. And looking at cyberattacks experienced by gaming companies as a whole, many of them can be traced back to their employees.

Software piracy causes financial loss

Software piracy is an issue worldwide, but even more so in the gaming industry. Threat actors will take video game data from its original medium and distribute it for free and every year, millions of dollars are lost due to piracy-related copyright infringement.

Account takeover and compromised credentials

Beyond in-game cheats and hacks, account takeover is a rampant concern for gamers and organizations alike. There are many illicit services that are dedicated to selling accounts regardless of them being automatically generated or stolen.

While the chances that a gaming account is well outside the systems of most organizations, a compromised account still introduces risk. Threat actors will employ credential stuffing attacks, which is when they will attempt to use compromised credentials to gain access to other accounts owned by that individual.

Compromised credentials for gaming companies are a common offering on illicit account shops, such as Russian Market and Genesis Market. These sites sell stolen credentials and browser data, which is collected from information-stealing malware. A 2021 report observed that over 500,000 compromised credentials came from twenty-five major gaming companies, with them including management roles and other departments such as Human Resources and Purchasing.

Credentials can be used for a range of cyberattacks, including business email compromise (BEC) attacks or providing initial access for ransomware or data breach attacks. For example, in 2021, stolen cookies were used to access a corporate communications channel at gaming publisher EA. From there, hackers social engineered an IT worker into giving them further access to the company’s network. They then successfully exfiltrated source code, development tools, and game engine data.

Ransomware and data extortion groups

Even though nearly all industries experience ransomware and data extortion attacks, gaming companies are becoming an attractive target for threat actors. Analysts note that this is likely because gaming companies tend to possess a considerable amount of sensitive information, such as corporate documents, source code, as well as large amounts of customer and client data.

Threat actors, ransomware gangs, as well as Advanced Persistent Threat (APT) groups have targeted gaming organizations:

  • A threat actor posted on Breach Forums in February 2023, claiming to have compromised Nintendo’s developer portal and obtained confidential content about the Nintendo Switch, internal development tools, source code, and back-end code.
  • Riot Games confirmed that hackers had stolen source code from League of Legends, the game Teamfight Tactics, and an unidentified “legacy anti-cheat platform” back in January 2023.
  • “Teapotuberhacker” – A threat actor possibly tied to LAPSUS$ claimed to have compromised Rockstar Games on September 18, 2022, stating that they had stolen ninety videos and source code related to Grand Theft Auto VI.
  • “ALPHV” (aka “Black Cat”) – The ransomware gang attacked Bandai Namco on July 11, 2022. 
  • LAPSUS$ – The ransomware group attacked graphics card company Nvidia, stealing 1 TB of internal information.
  • “HelloKitty” gang – This group was suspected by researchers to have compromised video game publisher CD Projekt Red.
  • “RagnarLocker” – The ransomware group claimed to have stolen 1 TB of data from gaming publisher Capcom.
  • APT41 (aka “Wicked Panda”) – The Department of Justice charged the group in 2020 for attacking nine video game companies.
  • APT38 (aka “Lazarus Group”) – This APT group was responsible for hacking a cryptocurrency-based game Axie Infinity.

Malware and vulnerabilities

Like other complex software and services, video games can also have technical vulnerabilities that can be exploited. Modern games are also vulnerable to supply chain attacks and unpatched vulnerabilities. This can, at minimum, disrupt normal use for players but can also be used to delete data, deploy malware, or execute arbitrary code, allowing an attacker to potentially take over a game session or even a player’s PC. 

A February 2023 report by Avast detailed a remote code execution (RCE) vulnerability that enabled the creation of unauthorized game modes in the popular game Dota 2. 

Avast attributed the issue to an out-of-date build of V8, an open source JavaScript engine developed by Google and used in Dota 2’s Panorama user interface framework. Dota 2 was using a v8.dll library that dated back to 2018, leaving the game’s engine vulnerable to various vulnerabilities.

Researchers observed four unauthorized game modes leveraging this vulnerability. While Avast only observed the use of this RCE in these game modes, researchers noted that the same method could have been leveraged against more popular modes and have a broader impact on Dota 2’s player base.

In January 2023, gamers and researchers reported a severe exploit affecting Grand Theft Auto V’s online mode. The partial RCE vulnerability allowed attackers to delete and modify in-game states, corrupt game data, ban users, and modify PC files. It was later reported that modders and hackers were actively working to exploit the vulnerability, which was later labeled CVE-2023-24059.

On January 21, 2022, Flashpoint observed “PaleTongue,” an RCE vulnerability affecting the network functionality of the popular Bandai Namco game Dark Souls 3. The vulnerability was eventually assigned CVE-2022-24126. The vulnerability forced Bandai Namco to shut down the online functionality of Dark Souls 3 for 113 days while the issue was resolved.

In 2020, Dark Souls modder Luke Yui discovered another RCE vulnerability that would later be labeled CVE-2021-34170. This vulnerability also affected Dark Souls’ net code and was present in Bandai Namco’s 2022 release Elden Ring, though it appears to have been patched.

What We Know About the Vulnerabilities Keeping ‘Dark Souls’ Offline

The maker of Dark Souls, a popular video games series, has shut down its servers for over 113 days due to CVE-2022-24126.

DDoS attacks targeting the gaming sector

Distributed denial-of-service (DDoS) attacks are quite common in the gaming sector, either targeting gaming infrastructure, individual players, video game streamers, or esports events. Interesting enough, the growing number of DDoS-for-hire services, as well as variations of botnets available on the Deep and Dark Web can be traced to the gaming industry.

For example, the prolific botnet “Mirai” was initially created as a DDoS tool by a crew of Minecraft server operators who wanted to knock competing server providers offline. The original version of Mirai contained an attack mode specifically designed to target gaming servers running Valve’s Source Engine. Even after the arrest of many Mirai developers, it has spawned numerous variants which are readily available on illicit channels. DDoS attacks continue to be used by threat actors, with it being used by Russia targeting Ukraine’s government websites and banking institutions.

Radicalization and extremism in gaming communities

Online gaming communities and gaming-affiliated communication platforms are frequently used for extremist discourse and recruitment across ideologies. Factors contributing to extrements groups preferring the use of gaming platforms includes their lack of content moderation, as well as the large number of young players.

It is not proven that gaming communities are more susceptible to extremist activity. The scale of extremist activity in gaming communities is difficult to quantify due to difficulties in accessing extremist communication channels and their overlap with other vectors and factors that lead to radicalization, such as social isolation and preexisting sympathies.

Protect against threats with Flashpoint

In order to mitigate and protect against these types of threats, organizations need comprehensive intelligence, as well as tools that grant visibility into threat actor chatter—in addition to compromised credential monitoring. Get a free trial today to see Flashpoint’s extensive collections platform in action.

Begin your free trial today.