Riot Games cyberattack: League of Legends source code being sold online

Social engineering attack against Riot resulted in leakage of its assets

League of Legends source code stolen, now being sold online for $1 millionLeague of Legends source code stolen, now being sold online for $1 million

Last Friday, the gaming giant Riot Games announced that it had been hit by a social engineering attack and that development environment systems had been breached.[1] During the attack, source code for League of Legends (LoL), Teamfight Tactics (TFT), and legacy anti-cheat Packman was stolen.

At the time, the company swiftly announced the incident on Twitter, informing all potential players about it, and said that no content could be released for a brief period of time. It was also said that no personal user data was stolen by cybercriminals during the breach.

It now came out to light that the stolen data, which consists of the most popular game of the studio League of Legends source code and the anti-cheat software Packman, is being auctioned off online. Riot, after receiving a ransom demand, categorically declined to comply with cybercriminals' demands, which likely prompted them to begin selling out the stolen data immediately after that.

Experts commented on the issue and said that the huge ransom that this person behind Arka or ArkaT username in dark web forums demands is not worth paying. Even though the leaked LoL source code that is for sale online can lead to major issues, it is not worth dealing with hackers and cybercriminals at all.

Ransom note demanding $10 million

A security research group, XV-Underground,[2] has established contact with cybercriminals behind the Riot attack. According to a Tweet posted on January 23, the social engineering attack was performed via an SMS sent to one of the Riot's employees. The initial goal of the attack was to steal the source code for the current anti-cheat system Vanguard, although not everything went according to plan.

Once the network has been breached, threat actors moved laterally through it but were unable to get the Domain controller. The malicious activity was detected by Riot's SOC team 36 hours after the intrusion, which gave a lot of time for cybercriminals to perform other malicious actions. No malware was deployed during this time – perpetrators targeted valuable source code data of games and anti-cheat instead.

The next day, Riot announced that they had an update about the attack and claimed that they have received a ransom note via email. According to Vice, which managed to get a hold of a copy of the note, which reads the following:[3]

We understand the significance of these artifacts and the impact their release to the public would have on your major titles, Valorant and League of Legends. In light of this, we are making a small request for an exchange of $10,000,000.

To validate their claims, the hackers presented Riot Games with two bulky PDFs that demonstrated they could access the source code of Packman and League of Legends.

Hackers then say that if Riot agrees to pay the ransom, they will provide detailed information on how the cyberattack was conducted and would also give tips on how to prevent such attacks from happening in the future.

Gigabytes of source code sold on the underground forums

Riot immediately refused to pay the $10 million.[4] Soon after, the attacker behind the breach, known as “ArkaT,” on the underground forums posted an auction for the stolen data. They claim that they are willing to sell the Packman anti-cheat platform for $500,000, while the full stolen information would not be sold below the $1 million mark.

A link to a thousand-page PDF document containing a directory listing of the 72.4 GB stolen source code was included in the forum post, leaving evidence that suggests it is indeed authentic.

Riot claimed that the likelihood of cheats emerging due to this attack is high, but the company said it is ready to react immediately by deploying patches to related games as soon as possible:

Truthfully, any exposure of source code can increase the likelihood of new cheats emerging. Since the attack, we’ve been working to assess its impact on anticheat and to be prepared to deploy fixes as quickly as possible if needed.

While ransomware was one of the most common methods of money extortion, companies and businesses could restore files from backups – all companies which adhere to security procedures prepare backups on separate mediums, which hackers can't breach. Consequently, such attacks provided no benefits.

Now it seems like malicious actors are moving towards substantial data theft – this allows them to either demand a ransom from the victim or sell the data to the highest bidder on underground forums.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions

References
Files
Software
Compare