CD Projekt Red, the Polish developer of Cyberpunk 2077 and The Witcher 3, has disclosed a major security incident in which several company systems were encrypted and confidential data stolen.
The studio took the unusual step of publishing the ransom note left by the hackers, which threatens to release the source code for its launched and upcoming titles, as well as various internal documents, should they fail to come to a deal.
Important Update pic.twitter.com/PCEuhAJosR— CD PROJEKT RED (@CDPROJEKTRED) February 9, 2021
"If we will not come to an agreement, then your source codes will be sold or leaked online and your documents will be sent to our contacts in gaming journalism," wrote the attackers, who added CD Projekt Red (CDPR) had a 48-hour deadline to respond to their demands.
We will not give in to the demands nor negotiate with the actor, being aware this may eventually lead to the release of the compromised data
"Your public image will go down in the shitter even more and people will see how shitty your company functions. Investors will lose trust in your company and the stock will dive even lower!"
Although CDPR has not confirmed the full scope of the incident, the attackers claimed to have accessed the firms Perforce server and slurped the source for three of its largest titles: Cyberpunk 2077, Gwent, and The Witcher 3, as well as the latter's next-generation update.
Equally troubling, the attackers said they were able to exfiltrate documents from parent company CD Projekt's various administrative and business development departments. "We have also dumped all of your documents relating to accounting, administration, legal, HR, investor relations, and more," they wrote.
In a statement published to its Twitter feed, a defiant CD Projekt Red said it would not acquiesce to the demands or enter negotiations despite fears it may result in the public exposure of its internal data.
"We will not give in to the demands nor negotiate with the actor, being aware this may eventually lead to the release of the compromised data. We are taking necessary steps to mitigate the consequences of such a release, in particular by approaching any parties that may be affected due to the breach," it wrote.
CDPR added it had entered incident response mode, restoring encrypted systems from backups and tightening up the security of its IT infrastructure.
The studio also said it believed (albeit with the "to our best knowledge" caveat) that no personal information on customers was caught up in the leak.
While CD Projekt is best known for the AAA titles produced via its Red wing, it also dabbles in services, operating an online game marketplace called GOG. This platform competes directly with Steam, EA Origin, and the Epic Games Store albeit with a focus on DRM-free retro and indie titles.
Speaking to The Register, Javvad Malik, security advocate at KnowBe4, said the attackers had contrived their attack for shock value, with the encryption of company servers intended primarily to demonstrate their vulnerability.
"The ransom demands are interesting because the criminals know that the organisation can likely recover from backups. In this case, the ransomware itself isn't the issue – it's more of a statement to signal that they have breached the organisation," he said.
Calvin Gan, senior manager in F-Secure's Tactical Defence Unit, heaped praise on CDPR's transparency, adding that it helped strengthen their position against the attacker.
"CDPR in my opinion has done a good job in being transparent, where the statement was published almost immediately after discovering the breach. Transparency is key in demotivating attackers from having an upper hand in the negotiation process since the public already knows about the breach and is expecting further updates.
"[CDPR] indicated they are already in the process of restoring from backup. That is a good sign where they probably have routinely tested their backup, and is something organisations should also practice doing (not just having the backup but actually testing them)."
This view was shared by Jake Moore, security specialist at ESET, who said: "This is quite possibly the eventuality that CD Projekt have been expecting for quite some time. As frustrating as it must be, it appears that the company has the correct protocol in place to withstand such demands and upheaval by refusing to pay the attackers. All good businesses have critical redundancies in place to mitigate the risk and this can only be truly simulated by testing the backups regularly and red teaming the company."
Although it's not immediately clear how the attackers managed to penetrate CDPR's infrastructure, Iain Chidgey, Sumo Logic's EMEA veep, told The Register he suspects a poorly secured developer tool may have been the avenue of ingress.
"Based on the note shared by CD Projekt Red, this appears to be an attack on the company's software development process that led to the hackers getting in. Finding a tool that is not secured properly and then using lateral movement within the network to launch ransomware has become a more common approach for hackers, as it does lead to ransom payments. However, the note may not be telling the truth, and the issue may be elsewhere.
"Securing the whole software supply chain is a higher priority for companies of all kinds these days after the SolarWinds attack in late 2020. For companies where code is their product, this is even more important to get right. Putting strong observability processes in place can help in these circumstances to show where things are out of the ordinary.
Cyberpunk 2077: There's a great game within screaming to get out, but sadly it was released 57 years too earlyREAD MORE
"For games developers and publishers, protecting their operations involves securing game assets and IP alongside the cloud instances and services running the games instances. For the biggest games, the data volumes coming from players in the cloud leads to this being a machine readable problem and no longer a human readable issue. If we are able to observe our software supply chains and all the data loads created by online gaming instances over time, we can be more secure."
Timing's not great
Despite an eight-year development run, the game launched in a largely unfinished state, with stability and performance issues rife on current-gen consoles. Key features were also conspicuously absent, leading some to contrast the title with the infamous Fyre Festival.
These endemic issues prompted a flood of refund requests within the first few weeks, and led to the unprecedented move by Sony to withdraw the game from its PlayStation storefront. As a consequence, CD Projekt Red faces two class-action lawsuits from investors, as well as an investigation by Poland's Office of Competition and Consumer Projection.
The Register has asked CD Projekt Red to comment. ®