Fallout of EA source code breach could be severe, cybersecurity experts say

Potential buyers could be interested in using the source code to game the game to make millions, perhaps sounding EA’s death knell in the process.

Computer hacker with a hood touches the touch screen binary code. Light waves on abstract binary dark background hacker silhouette. Hacking computer system, database server, data theft, vector

Image: ValeryBrozhinsky, Getty Images/iStockphoto

The news that games giant Electronic Arts was hacked and the source code and software development kits to many popular games like FIFA 21 and 22 as well as the source code to Frostbite, the games engine that powers many of popular titles such as Madden, Need for Speed and Battlefield, has spread like wildfire in the past 24 hours. In all, the hackers claim to have pilfered 780GB of EA’s proprietary data.

More about cybersecurity

The hack was first reported by Motherboard, which discovered the hackers selling the code for $28 million on the R0 Crew forum on the Dark Web. According to its masthead, R0 Crew is a ” … a community of people who are interested in topics related to reverse engineering, exploit development, malware research and pentest.” It posts jobs, “some materials” such as expdev, malware and pentest, and prefers users communicate in English but Russian is fine, too.

The hackers also included proof of their exploits using anonfiles.com as well as a 2015 email between EA and games security provider Denuvo. The exact cause of the breach or when it occurred is not yet known. But the date on which the R0 Crew posting was cached by Google is June 6, 2021, so it likely happened sometime before that date.

SEE: Security incident response policy (TechRepublic Premium)

EA confirmed the breach in a statement to Motherboard on Thursday but has not released any statements since. TR has reached out to EA for comment. 

The consequences of the hack could be existential, said Saryu Nayyar, CEO of cybersecurity firm Gurucul.

“This sort of breach could potentially take down an organization,” she said in a statement to TechRepublic. “Game source code is highly proprietary and sensitive intellectual property that is the heartbeat of a company’s service or offering. Exposing this data is like virtually taking its life. Except that in this case, EA is saying only a limited amount of game source code and tools have been exfiltrated. Even so, the heartbeat has been interrupted and there’s no telling how this attack will ultimately impact the life blood of the company’s gaming services down the line.”

While the motivations of the hackers appear to be strictly financial, the impact on EA’s reputation could be serious. If, as many players suspect, the company has intentionally designed FIFA, one of its most popular titles, so that players who purchase coins have a better chance of winning matches and advancing their teams than players who do not, it could prove disastrous to the game’s popularity, said Garret Grajek, CEO of YouAttest, a cyber security governance firm. 

“These guys can cause some serious damage if they show the world how the coins are used to manipulate the game and improve the performance of the players and how they interact,” he said. “Will this reveal how the base game is slow and dodgy without the coins? If they can prove that, what many FIFA players around the globe allege, the game loses legitimacy.”

$1.5B worth of FIFA coins were purchased by players in 2020, he said. 

According to Rajiv Pimplaskar, chief revenue officer at digital identity provider Veridium, EA makes over $2.7B per year from in-game microtransactions and purchases.

SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)

Since the EA hack is not yet known to be a ransomware attack and involves source code instead data like credit cards or medical information that is much easier to sell on the Dark Web, the question of who would want to buy the code becomes more interesting, said Grajek. 

Because EA game coins are bought and sold by players using real-world currency on unregulated market places like buyfifacoins.com, the hackers could be trying to attract the attention of organized hacker groups like China’s Apt 41. With the source code, certificates and API keys (all of which the hackers say they have) in hand, Apt 41 could use them to mine coins and sell them in a process known as Gold Farming.

“Once the world realizes how much money is going through these games, they realize it’s not just two kids down the block playing against each other,” said Grajek.

Boris Larin, senior security researcher at Kaspersky, also said that FIFAs virtual currency could be the most valuable aspect of the code.

“FIFA 21 is of primary interest to the attackers as the game has its own virtual currency,  which is in high demand,” he said, in a statement to TechRepublic. “In 2015, the FBI arrested a group that had allegedly mined and sold $15 to $18M worth of this virtual currency by using vulnerabilities found in the game. Making profit off the in-game currency would be one of the most likely interests for the cybercriminals interested in purchasing the source code.”

Having access to the source would allow someone to understand the game’s functionality, its servers and logic, as well as undercover any secret algorithms and bypass anti-cheat technologies, he said. With this knowledge, hackers could easily mine and sell the in-game currency. “[A]ccess to the source code allows you to simply read the game code like an open book,” he said. 

Although it is not yet known for certain that no player data was stolen, if what EA has said is true and this is not the case, the risk to players’ personal data should be minimal.

“While no player’s personal data was compromised in the breach, it appears that Electronic Arts left their crown jewels unprotected,” said Todd Moore, vice president of Encryption Solutions at Thales, in a statement to TechRepublic. “Franchises like Madden and FIFA have reputations built over 30 years and are beloved by millions, and losing intellectual property, like the source code lost, can go far beyond financial damages.”

Also see