Cyberattackers have compromised and demanded a ransom from Riot Games, the developer behind the popular League of Legends game, in the latest attack to target video-game makers.
In a series of posts on Twitter, Riot Games acknowledged the breach this week and confirmed that the attackers had exfiltrated source code for the League of Legends (aka LoL) and Teamfight Tactics (TFT) games, as well as source code for an older anti-cheat platform. The attackers issued a ransom demand for $10 million, threatening to otherwise release the source code.
The attack disrupted Riot Games' development environment but appears to have failed to compromise player data, the company stated.
"We've made a lot of progress since last week and we believe we’ll have things repaired later in the week, which will allow us to remain on our regular patch cadence going forward," the company said on Twitter. "The League and TFT teams will update you soon on what this means for each game."
Riot Games joins other major video-game makers as a victim of online attackers. In September, Take Two Interactive's Rockstar Games — the maker of Grand Theft Auto — acknowledged that an unknown third party had compromised its network and gained access to videos and files for its coming Grand Theft Auto 6. And in 2021, cybercriminals used social engineering to gain access to the Slack channel for developers at Electronic Arts, giving them access to source code for the company's FIFA 21 and Battlefield franchises.
More recently, Rockstar Games has scrambled over the past week to deal with hackers exploiting vulnerabilities in the PC version of its Grand Theft Auto Online.
Industry analysts estimate that more than half of the US population plays games, with games on mobile devices about twice as popular as those on PCs or consoles. And attackers go where the people are, Tonia Dudley, CISO at Cofense, said in a statement to Dark Reading.
"In recent years, the gaming sector has become an increasingly popular target for cybercriminals," she said. "As investments in everything from e-sports to video games have increased, cyberattacks — particularly distributed denial-of-service (DDoS) attacks — have skyrocketed."
Cyberattackers Playing Games
Part of the reason that attackers focus on video-game makers is the large overlap between gamer and hacker interests. For instance, some are driven by a desire to find cheats to gain an advantage in online play.
Attacks targeting online gamers typically make up a plurality of DDoS attacks detected each year and accounted for 46% of all attacks in 2020.
Cybercriminals also often target game makers that, arguably, have alienated their fan bases. In February 2021, for example, hackers targeted CD Projekt Red — the maker of the Witcher and Cyberpunk 2077 video games — because they were angry with the buggy state of the Cyberpunk 2077 game.
Yet games also make good platforms to distribute malware. Pirated games are often a vector for opportunistic malware. With most games connected to, and downloading data from, the Internet, games and their online services make ideal vectors of attack, says Boris Larin, lead security researcher at Kaspersky’s Global Research and Analysis Team.
"[T]hey have compromised a victim's build environments to conduct supply chain attacks, [which] could be considered as a very effective strategy for infection of a large number of PCs with a single attack," he says. "Massive multiplayer online (MMO) games have large user bases, and those users expect to receive automatic updates, so if attackers Trojanize a game update, a very large portion of players will be infected all at once."
No Pay to Play
Riot Games' response to the attack highlights another trend in the industry: Victims of ransomware attacks are refusing to pay. Last week, digital currency trackers estimated that ransomware revenues fell nearly 40% to nearly $460 million, with the average attack returning less in revenue per transaction.
The cybercriminals behind the attack on Riot Games demanded $10 million to not release the company's source code, according to an article in Motherboard.
Riot Games had a simple response.
"Today, we received a ransom email," the company stated in its post to Twitter. "Needless to say, we won't pay."
Riot Games handled the notification aspect of the breach very well, laying everything out to its customers, noting that personal information was likely not compromised, and detailing what code had been stolen, according to Kaspersky's Larin.
"We think that Riot Games did the right thing choosing not to pay," he says. "If you become a victim, never pay the ransom. [Paying] will not guarantee you get your data back nor that it will not be leaked online, but it will encourage criminals to continue their business."
Riot Games plans to release a full report on the incident to the public, "detailing the attackers' techniques, the areas where Riot's security controls failed, and the steps we’re taking to ensure this doesn’t happen again," the company stated.