Electronic Arts (EA) is one of the world’s most well-known publishers of video games for PC, mobile and consoles. Some of its most popular games include EA Sports UFC, FIFA, Battlefield, and The Sims.
In June 2021, this massive player in the gaming industry took a bit of a stumble: It was hacked.
But aren’t hacking incidents commonplace now?
Yes, they are.
Then why did the attack on EA make such waves?
Three words: stolen source code.
The source code is the fundamental component of any software program. It is created by software programmers and developers using a programming language like Python, Java, C#, HTML, Ruby, etc. Once the source code is written, it is run through a “compiler”, which is a software program that converts source code into machine code (also known as object code) that a computer can understand and execute. Simply put, the source code is the before component of a compiled program, and the object code is the after component.
The source code is the crux of any software or application. Without it, the product would not exist. That’s why it’s such a critical asset for any software development (or gaming!) company.
Source code can be proprietary or open. With the former, the user does not have access to it, so they cannot modify or customize it. Open source code can be downloaded, modified and customized.
EA’s source code is proprietary and ring-fenced, which means that a portion of the company’s assets or profits is financially separated and therefore not freely provided or distributed to users.
But is ring-fencing the same as protecting?
Going by the June 6th theft of EA’s source code, the answer would be NO.
On June 6, hackers claimed that they had obtained 780 GB of data from EA, including the source code for Frostbite, the game engine that powers many EA video games like FIFA, Madden, and Battlefield. They also claimed that they could offer “full capability of exploiting on all EA services.”
According to EA, player data was not compromised, so their privacy was unaffected. While this is good news, it doesn’t quite minimize the bad news.
Anyone with access to this stolen source code could potentially copy it to create hacks for EA’s games. Since it would allow them to identify ways to bypass protection, they could create game cheats and cracks, and then sell them for profit.
They could also identify exploitable vulnerabilities in the code, and then sell it on the Dark Web to cybercriminals, hacktivists, rogue nations, and other malicious threat actors. In fact, the hackers did threaten to auction the code on the Dark Web, rather than demanding a ransom not to publish it.
For any company where its source code is a prized digital asset, losing it to a hacker results in the loss of crucial intellectual property. Hackers can also use it to launch attacks in other ways. For example, they can tap into a game’s core functions to build tools that let them impersonate the game company’s staff. Then they can send phishing emails to gamers to access and exploit their accounts or credentials, or to sell them on the Dark Web. They could even distribute alternate versions of malware-infected games to gamers. This not only affects gamers, but also impacts the company’s reputation and financial health.
And far beyond the games themselves, live services like updates, subscriptions and in-game purchases are also lucrative sources of revenue for these companies. Such services are also vulnerable to hackers who can engineer attacks by analyzing a game’s source code.
In 2020, the videogame industry generated more revenues than the North American sports industry and the global movie industry combined. EA said that they didn’t expect this attack to have a huge impact on their business. And yet, there’s a lot of equity at stake in the gaming industry, so game creators like EA cannot afford incidents involving stolen source code.
Most modern development teams conduct a source code review to find vulnerabilities overlooked during initial development, such as encryption errors, SQL injection, XSS (cross-site scripting) vulnerabilities, buffer overflows, etc. But while source code review is a useful (and indeed, crucial) step in the development lifecycle, it is not without its drawbacks. A source code review cannot find every vulnerability like misconfiguration errors, weak authentication, logical errors in assigning role-based access, and search engine indexing. To find such potential risky issues, penetration testing is required.
Both source code testing and pen testing are effective ways to check the quality of the application code and find and fix more vulnerabilities. So for organizations aiming to avoid EA-like stolen source code situations – it’s best to conduct source code testing and pen testing together.
If you’re looking for expert source code testing or pen testing services, contact us for a free quote.
September 27 - Blog
InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.
September 26 - Blog
Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.
August 15 - Blog
It's official: Packetlabs is a partner and attendee of Info-Tech LIVE 2024 in Las Vegas. Learn more about event dates and registration today.