In early June of 2021, Electronic Arts (EA) was breached and data was taken by a group of hackers. Much of what was taken was reportedly linked to source code for games like FIFA 21 or the Frostbite engine as a whole.
The hackers themselves had been advertising that the data they obtained would be for sale to well-known members of their communities.
Electronic Arts and their spokesperson claimed the data was solely based on source code, and player data was untouched.
However, what aspect of the source code was stolen or if that can affect the personal computers of online users is still up in the air. Jim Gogolinski, iboss Vice President of Research and Intelligence, broke down the breach of information that Electronic Arts experienced and what impact it may have going forward.
Potential impact of the Electronic Arts data breach
Though EA has claimed that no data was accessed, would they legally be allowed to hide it if the information was accessed?
Since EA is a publicly traded company, if they uncovered information that was deemed pertinent to their business, they are required by law to note it in one of their SEC filings.
If it is immediate then they would have to file a form 8-K and at the very least, they would need to include it in their annual 10-K.
Currently, there is no federal law on the books that requires disclosure of a data breach. There have been bills proposed but none have been ratified or signed into law.
Most states do, however, have laws on the books requiring notification of data theft. California was the first state to adopt data leakage laws in 2002 and most states follow their laws.
Since EA has its headquarters in California, they would be required by state law to disclose (if they are aware).
What did the attackers mean by having information that would allow for full exploitation?
Since the attackers have access to the source code of the games and other tools, this gives them an advantage in that they can review the code for ways to take advantage of bugs or flaws in the software.
This may give them the chance to generate a remote code execution exploit whereby the attackers could send specific data to a victim’s computer (these are online games) to allow the attackers to take control of the system.
If the attackers gained access to the server side, the software hosted by EA, then these exploits could allow them back in and possibly give them a way to access customer’s systems.
That being said, you have to be careful about what hackers post on the underground: they have been known to exaggerate, especially since they are trying to sell the source code.
Is it possible for them to have access to projects within EA, beyond what was announced at E3?
There really is no way of knowing. As mentioned earlier, incident response investigations take time and more data may become available. It may also be that EA discovered the attackers and were able to get them out of their system before they could gather more data.
There really is no way to confirm unless you are involved in the actual investigation.
How severe is the scale of the attack from an outside perspective?
Not a lot of details have been made publicly available regarding the attack, so it is hard to say. 780GB is a fair amount of data but there was no mention of over what timeframe this data was exfiltrated.
The attackers could have used something trivial like spear-phishing or found some leaked credentials that gave them access to EA’s network. Since there is no indication of the attackers or the techniques, tactics, and procedures (TTPs) used, we cannot assess the skill level of the attackers with any confidence.
There are good open source tools that could be used to help with lateral movement once the attackers got inside of EA’s network. From a business perspective, the scale of the damage from the attack really depends on the actual data stolen.
Would the attackers have gone after player data or internal data about EA as a company?
This would depend on the attackers and their motivation. In this case, it appears as though this was not a typical ransomware attack, rather the attackers have stolen source code and are reported to be offering it up for sale underground.
This could imply that the attackers were only after the data they received, or that EA’s security team discovered them before they were able to spread the actual ransomware within the network – there’s no way to know with the data we have available.
Selling stolen code is more financially lucrative than selling leaked credentials but also makes for more tricky financial negotiations. Taking data on EA itself would be more likely if this were a ransomware attack; however, the code itself is likely worth a lot more than any internal company data.
The code is the crown jewel of EA’s business.
How can EA counteract this quickly?
From an exploitative perspective, EA will need to do their own internal security review of the code that was leaked, seeking the same things attackers would be looking for.
They will need to patch the code immediately and get these updates out into the customer’s hands as soon as it is feasible.
As for the code itself being for sale, there is nothing that EA can do about that. They are working with law enforcement, but it is highly unlikely that they will be able to stop the sale of the code by the attackers before any law enforcement investigation is able to be completed.
In this case, it really is not much different than extortion ransomware, the data has left EA to not return.