Hackers Stole Source Code from Electronic Arts and Are Selling It Online

Illustration for article titled Hackers Stole Source Code from Electronic Arts and Are Selling It Online

Photo: Kevork Djansezian (Getty Images)

Cybercriminals have hacked and stolen large amounts of data and code from Electronic Arts, the prominent gaming publisher responsible for producing The Sims, Battlefield, and a number of other classic games.


“We are investigating a recent incident of intrusion into our network where a limited amount of game source code and related tools were stolen,” an EA spokesperson said in a statement provided to Gizmodo. “No player data was accessed, and we have no reason to believe there is any risk to player privacy. Following the incident, we’ve already made security improvements and do not expect an impact on our games or our business. We are actively working with law enforcement officials and other experts as part of this ongoing criminal investigation.”

The company did not say when the incident actually occurred.

A security professional shared a link with Gizmodo to the dark website where cybercriminals appear to be selling EA’s digital goods. According to the hackers, the cache is comprised of some 780GB of data, and includes full source code for the soccer game FIFA 21, as well as source code for the company’s game engine FrostBite—a core piece of software necessary for EA’s games to run properly.

Illustration for article titled Hackers Stole Source Code from Electronic Arts and Are Selling It Online

Screenshot: Lucas Ropek

First reported by Motherboard, the attack is one of several recent cyber incidents involving gaming companies. In November, the Japanese firm Capcom suffered a breach, leading to the potential compromise of data on hundreds of thousands of current and former employees and contractors. More recently, CD Projekt Red was hacked, leading to the theft of source code for some of the company’s biggest games—including Cyberpunk 2077 and The Witcher.

The motive here, like in many other cyberattacks, is financial: selling this kind of proprietary information on the dark web can net you big money. In the case of whoever hacked EA, they apparently only want offers from big, serious buyers. Motherboard reports that the hackers wrote in a dark web post: “Only serious and rep [reputation] members all other would be ignored.”

A Capitol Hill Tech Vendor Is the Latest Ransomware Victim

Illustration for article titled A Capitol Hill Tech Vendor Is the Latest Ransomware Victim

Photo: Win McNamee (Getty Images)

An email newsletter provider with dozens of customers on Capitol Hill has suffered a ransomware attack, the U.S. House of Representatives’ chief administrative officer confirmed Tuesday.


Punchbowl News was first to report that nearly 60 House offices from both parties were affected by an attack on iConstituent, a government-facing platform designed to help government officials reach out to the voting public. While the company is reportedly working with CAO Catherine Szpindor to resolve the issue, sources familiar with the matter told Punchbowl that there’s frustration from House members that want to, well, reach out to their constituents.

“The CAO is coordinating with the impacted offices supported by iConstituent and has taken measures to ensure that the attack does not affect the House network and offices’ data,” Szpindor said in a statement to Punchbowl, noting that the office “is not aware” of any House data being impacted by the breach thus far. The biggest problem, per Punchbowl’s report, is that these House members haven’t been able to access any of their constituent information “for several weeks.”

This attack is just the latest in a series of hacks that have kneecapped major U.S. businesses like the Colonial Pipeline and global meat supplier JBS. Last week, the White House began urging private companies to safeguard themselves against ransomware attacks in an open letter describing how “the private sector has a distinct and key responsibility,” in buffing the country’s cyberattack response.

While iConstituent’s site notes that the company has worked with “hundreds of government offices,” the homepage only features a few endorsements, including one from Pennsylvania Sen. Jay Costa and another from Oklahoma Rep. Frank Lucas. Gizmodo reached out to both of their offices for comment on the case. Illinois Republican Rep. Rodney Davis (also an iConstituent customer) told Punchbowl that he “understands there is some frustration at the vendor in question here.”

DOJ Seizes $2.3 Million in Cryptocurrency From Hackers After Colonial Pipeline Cyberattack

Illustration for article titled DOJ Seizes $2.3 Million in Cryptocurrency From Hackers After Colonial Pipeline Cyberattack

Screenshot: Lucas Ropek/U.S. Justice Department

Federal agents have tracked and seized over half of the $4.4 million ransom paid by Colonial Pipeline to the cybercriminal gang DarkSide following May’s cyberattack, the U.S. Justice Department announced Monday.


At a press conference, Deputy Attorney General Lisa O. Monaco said that the operation was coordinated with the help of the Justice Department’s newly created ransomware task force and that the investigation had effectively recovered a majority of the multi-million dollar crypto payment. In a press release, the DOJ said that agents were able to track “multiple transfers of bitcoin” which led them to the discovery of a crypto wallet holding “approximately 63.7 bitcoins,” or approximately $2.3 million. The “FBI has the ‘private key,’ or the rough equivalent of a password needed to access assets accessible from the specific Bitcoin address,” officials said.

“The sophisticated use of technology to hold businesses—and even whole cities—hostage for profit is decidedly a 21st-century challenge. But the old adage ‘follow the money’ still applies,” said Monaco, during Monday’s presser. “Ransom payments are the fuel that propels the digital extortion engine, and today’s announcement demonstrates that the United States will use all available tools to make these attacks more costly and less profitable for criminal enterprises. We will continue to target the entire ransomware ecosystem to disrupt and deter these attacks.”

The Colonial Pipeline ransomware attack, which took place on May 7th, not only temporarily crippled the operations of one of America’s largest oil companies; it also spurred a mini-energy crisis throughout the Southeast, while also engendering a large political response and alleged turmoil within the criminal underworld.

It’s unclear how the FBI ultimately got ahold of the key to DarkSide’s crypto wallet—or why, over a month later, the ransom hadn’t yet been transferred into fiat via a crypto exchange or dark market. However, CNN reports that after paying DarkSide, Colonial also took “early steps to notify the FBI and followed instructions that helped investigators track the payment to a cryptocurrency wallet used by the hackers, believed to be based in Russia.” We don’t have details on how exactly those steps ultimately helped law enforcement to track and seize the payment after it was made.

The announcement of the asset seizure comes as the federal government has signaled a much more targeted, strategic, and comprehensive approach to fighting the ransomware epidemic currently embroiling the country. Just last week, the Justice Department announced a new national strategy for investigating and pursuing leads in ransomware attacks.

“There is no place beyond the reach of the FBI to conceal illicit funds that will prevent us from imposing risk and consequences upon malicious cyber actors,” said FBI Deputy Director Paul Abbate, during Monday’s press conference. “We will continue to use all of our available resources and leverage our domestic and international partnerships to disrupt ransomware attacks and protect our private sector partners and the American public.”


DOJ to Treat Ransomware Hacks Like Terrorism Now: Here’s the Full Memo

Illustration for article titled DOJ to Treat Ransomware Hacks Like Terrorism Now: Here's the Full Memo


The U.S. Department of Justice plans to take a much harsher tack when pursuing cybercriminals involved in ransomware attacks—and will investigate them using strategies similar to those currently employed against foreign and domestic terrorists.


The new internal guidelines, first reported by Reuters, were passed down to U.S. attorney’s offices throughout the country on Thursday, outlining a more coordinated approach to investigating attacks. The new guidance includes a stipulation that such investigations be “centrally coordinated” with the newly created task force on ransomware run by the Justice Department in Washington, DC. That task force, formed in April, is currently developing a “strategy that targets the entire criminal ecosystem around ransomware,” including “prosecutions, disruptions of ongoing attacks and curbs on services that support the attacks, such as online forums that advertise the sale of ransomware or hosting services that facilitate ransomware campaigns,” the Wall Street Journal previously reported.

“To ensure we can make necessary connections across national and global cases and investigations, and to allow us to develop a comprehensive picture of the national and economic security threats we face, we must enhance and centralize our internal tracking,” says the guidance, which runs just over three pages.

In response to a request for comment, the Justice Department provided the memo in full.

Illustration for article titled DOJ to Treat Ransomware Hacks Like Terrorism Now: Here's the Full Memo

Screenshot: Gizmodo/DOJ

“It’s a specialized process to ensure we track all ransomware cases regardless of where it may be referred in this country, so you can make the connections between actors and work your way up to disrupt the whole chain,” John Carlin, acting deputy attorney general at the Justice Department, told Reuters. “We’ve used this model around terrorism before but never with ransomware,” he added.

The announcement follows an ongoing and ever-intensifying cybercrime spree—in which larger and larger commercial and governmental entities have been hamstrung by cybercrime groups. The last several weeks have seen large companies—including JBS and Colonial Pipeline—paralyzed by hackers, throwing industrial supply chains that millions of Americans rely on into chaos.


Read the full DOJ memo below:


More: Supreme Court Issues Radical New Reading of Anti-Hacking Law

Someone Hacked the MTA

Illustration for article titled Someone Hacked the MTA

Photo: Mario Tama (Getty Images)

In late April, officials with the New York City Metropolitan Transportation Authority discovered that someone had penetrated several of the agency’s computer systems, exploiting a zero day vulnerability in the network’s VPN service as a way to get its foot in the door.


The transportation agency, which is responsible for operating a transit system whose daily ridership tops 5 million, discovered the intrusion attempt shortly after an announcement from federal authorities about a foreign hacking campaign targeted at Pulse Connect Secure, a VPN product. At the time, Pulse was widely used by state, local and federal government agencies.

The widespread hacking campaign is believed to have been at least partially the work of a sophisticated threat actor conducting espionage on behalf of China. While it’s unclear if that same actor attacked the MTA, the New York Times has reported that the hackers that targeted the transit agency are “believed to have links to the Chinese government.”

On Wednesday, MTA officials confirmed to Gizmodo that someone had exploited the Pulse security flaw to worm their way into MTA’s network, but that the hackers had apparently stopped short of stealing any data. In a statement, the agency said that three of its “systems” had been impacted by the attack, but did not elaborate on which systems they were or explain what that meant.

Separate forensic audits conducted by FireEye’s Mandiant and an IBM security team “found no evidence of account compromise, no employee information breached, no data loss or changes to our vital systems,” MTA officials said. No operational systems were affected by the attack either, they added.

In addition to post-incident audits, the Transportation Authority instituted several other security precautions — including “a forced migration off this VPN to other VPNs” and a requirement that some 3,700 employees and contractors change their passwords as an “extra layer of security,” officials said. In a statement provided to Gizmodo, Rafail Portnoy, the MTA’s Chief Technology Officer, reiterated that no data had been compromised as a result of the intrusion.

“The MTA quickly and aggressively responded to this attack, bringing on Mandiant, a leading cyber security firm, whose forensic audit found no evidence operational systems were impacted, no employee or customer information breached, no data loss and no changes to our vital systems,” said Portnoy.


News of the attempted attack comes during a veritable cyberattack blitz throughout the U.S., with many attacks targeted at critical infrastructure. While the hackers in this case don’t appear to have gained access to anything of real importance, the fact that such a system could be compromised in the first place is disturbing on its face.

The New York Times reports that an MTA document shows officials have expressed concerns that the hackers “could have entered those [MTA] operational systems or that they could continue to penetrate the agency’s computer systems through a back door.” Yes, if the idea of a cyberattack paralyzing the R line somewhere between Court Street and South Ferry discomfits you, let’s just hope that public agencies like the MTA have a forward-looking plan for how to make sure scenarios like that never become a reality in the future.


World’s Largest Beef and Pork Supplier Hit by Cyber Attack

The northern Australian offices of JBS Foods is seen during sunset in Dinmore, west of Brisbane, on June 1, 2021.

The northern Australian offices of JBS Foods is seen during sunset in Dinmore, west of Brisbane, on June 1, 2021.
Photo: Patrick Hamilton (Getty Images)

JB Foods, the world’s largest beef and pork processor, was hit by a cyber attack on Sunday that’s incapacitated systems in the U.S., Canada, and Australia according to a new report from Bloomberg News.


The global food giant hasn’t shared what kind of cyberattack it’s been hit with, but large global operations like this are often struck with ransomware, an attack that most commonly involves hackers stealing data, deleting it locally from a company’s servers, and demanding payment for the return of the data.

Another style of ransomware attack can involve hackers stealing sensitive data and threatening to release it publicly unless the ransom is paid. JB is keeping mum, but the company says its backup servers are fine and it’s working on getting back up and running.

As the Australia-based news outlet Beef Central notes, modern meat processing plants are heavily reliant on computers to keep their systems running. And while JBS hasn’t shared details about the attack, Beef Central says there are a lot of obvious questions about what’s going to happen to animal carcasses that will start to pile up.

Beef Central obtained a statement from JBS:

On Sunday, May 30, JBS USA determined that it was the target of an organised cybersecurity attack, affecting some of the servers supporting its North American and Australian IT systems. The company took immediate action, suspending all affected systems, notifying authorities and activating the company’s global network of IT professionals and third-party experts to resolve the situation. The company’s backup servers were not affected, and it is actively working with an Incident Response firm to restore its systems as soon as possible.

The company is not aware of any evidence at this time that any customer, supplier or employee data has been compromised or misused as a result of the situation. Resolution of the incident will take time, which may delay certain transactions with customers and suppliers.

It’s too soon to tell what kind of impact the cyberattack might have on consumers, but the sheer volume of meat processed by JBS in North America and Australia is staggering.

As Bloomberg points out, one JBS beef plant in Brooks, Alberta accounts for roughly a quarter of Canada’s entire beef production. The plant is currently offline. JBS is Australia’s largest beef, pork, and lamb processor, though roughly 70% of those products are shipped overseas, according to Bloomberg. All operations in Australia have also stopped and it’s not clear when they’ll get back online.


The publisher of Beef Central told Australia’s ABC News that it’s anyone’s guess when things could return to normal.

“It could be a day, it could be a week, it could be multiple weeks,” Beef Central’s Jon Condon said. “The longer it goes, the worse the situation in terms of supply and disruption”


Microsoft Says Russian Hackers Behind SolarWinds Currently Attacking Targets in 24 Countries

Russian President Vladimir Putin makes a video message to the participants of the Russian Congress on Pediatric Oncology on May 27, 2021.

Russian President Vladimir Putin makes a video message to the participants of the Russian Congress on Pediatric Oncology on May 27, 2021.
Photo: Sergei ILYIN / Sputnik / AFP (Getty Images)

The hackers behind the massive SolarWinds attack are currently trying to access the email systems of thousands in western governments, think tanks, and NGOs that may be opposed to the Russian government, according to a warning released late Thursday night by Microsoft.


The hackers, dubbed Nobelium by researchers, have targeted roughly 3,000 email accounts at more than 150 organizations, according to Microsoft. The hacking attempts were first identified in January of this year but they’re ongoing, according to the company.

“While organizations in the United States received the largest share of attacks, targeted victims span at least 24 countries,” Microsoft said in a statment. “At least a quarter of the targeted organizations were involved in international development, humanitarian, and human rights work. Nobelium, originating from Russia, is the same actor behind the attacks on SolarWinds customers in 2020.”

One of the targets, according to Microsoft, was the Constant Contact account of the U.S. Agency for International Development (USAID), which is ostensibly designed for administering foreign aid and encouraging business development around the world.

“From there, the actor was able to distribute phishing emails that looked authentic but included a link that, when clicked, inserted a malicious file used to distribute a backdoor we call NativeZone,” Microsoft explained.

“This backdoor could enable a wide range of activities from stealing data to infecting other computers on a network,” Microsoft’s statement continued.

Why would Russia want to go after USAID? Well, the agency has sometimes been used as an instrument of regime change, like when USAID secretly created a text-based version of Twitter for Cuba in 2010 during an effort to sow anger at the country’s leader Fidel Castro. The Associated Press broke that story in 2014 and Castro died in 2016.


But officially, Microsoft gave three reasons for the recent attacks:

First, when coupled with the attack on SolarWinds, it’s clear that part of Nobelium’s playbook is to gain access to trusted technology providers and infect their customers. By piggybacking on software updates and now mass email providers, Nobelium increases the chances of collateral damage in espionage operations and undermines trust in the technology ecosystem.

Second, perhaps unsurprisingly, Nobelium’s activities and that of similar actors tend to track with issues of concern to the country from which they are operating. This time Nobelium targeted many humanitarian and human rights organizations. At the height of the Covid-19 pandemic, Russian actor Strontium targeted healthcare organizations involved in vaccines. In 2019, Strontium targeted sporting and anti-doping organizations. And we’ve previously disclosed activity by Strontium and other actors targeting major elections in the U.S. and elsewhere. This is yet another example of how cyberattacks have become the tool of choice for a growing number of nation-states to accomplish a wide variety of political objectives, with the focus of these attacks by Nobelium on human rights and humanitarian organizations.

Third, nation-state cyberattacks aren’t slowing. We need clear rules governing nation-state conduct in cyberspace and clear expectations of the consequences for violation of those rules. We must continue to rally around progress made by the Paris Call for Trust and Security in Cyberspace, and more widely adopt the recommendations of the Cybersecurity Tech Accord, and the CyberPeace Institute. But, we need to do more. Microsoft will continue to work with willing governments and the private sector to advance the cause of digital peace.


The SolarWinds hack was one of the worst attacks on computers in the U.S., dropping malicious code in some of the most sensitive computer systems run by the U.S. government and its contractors. Most people believe the SolarWinds attack was executed at the behest of Russian president Vladimir Putin, and Microsoft isn’t being very subtle with their new statement about who’s behind this latest attack.

Nobelium is coming for critics of Putin and they’re not giving up, at least if you believe Microsoft, which shouldn’t be a surprise. It’s just another day in the New Cold War.


Security Flaws Could Allow Hackers to Change Certified PDF Contracts

Saving PDFs from the print dialog in macOS.

Saving PDFs from the print dialog in macOS.
Screenshot: Gizmodo

Researchers recently discovered security flaws in PDFs that could allow a savvy hacker to surreptitiously manipulate or deface the contents of certified documents. While the vulnerabilities in question have already been patched by most reader applications, the new research provides a weird little look at how online goons could mess with your docs, should they be so inclined.


The flaws were discovered by academic researchers with Germany’s Ruhr-University Bochum and were recently presented at this year’s IEEE Symposium on Security and Privacy.

The security experts break down two specific exploits on their blog—dubbing them the Sneaky Signature Attack (SSA) and the Evil Annotation Attack (EAA). In both cases, the exploit hinges on manipulating the PDF certification process via flaws in the file’s specification. Specification governs the digital signature process and certification—which is the process by which a document is given the approval stamp for having come from a trustworthy, secure source.

Through these flaws, hackers can get inside the certification process, which allows for documents to be signed or otherwise altered via annotations or other edits. The exploits allow for a bad actor to “significantly alter a certified document’s visible content without raising any warnings,” as the researchers puts it.

“The attack idea exploits the flexibility of PDF certification,” they extrapolate. “Our practical evaluation shows that an attacker could change the visible content in 15 of 26 viewer applications by using EAA and in 8 applications using SSA by using PDF specification compliant exploits.”

Of course, why a hacker would want to go to the trouble to do this is somewhat unclear. They want to, uh, sneak a new clause into someone’s corporate contract, or maybe manipulate a CEO’s signature to make them look like a penmanship gremlin? I guess in some disturbed, hypothetical scenario, this tactic could be used as a far-out form of defamation—maybe by inserting offensive and/or bizarre content into a document to make its author look bad. While that seems like a lot of trouble to go to when the internet is a veritable treasure trove of casual character assassination methods, you never know!

Whether or not this is a practical attack for anyone to use, expect to hear the bitcoin people explaining why we need the blockchain.


FBI: Conti Ransomware Gang Behind Ireland Attack Also Hit 16 U.S. Health and Emergency Networks

Illustration for article titled FBI: Conti Ransomware Gang Behind Ireland Attack Also Hit 16 U.S. Health and Emergency Networks

Photo: Mandel Ngan (Getty Images)

The same hackers that took down the Irish health system last week also hit at least 16 U.S. medical and first responder networks in the past year, according to a Federal Bureau of Investigation alert made public Thursday by the American Hospital Association.


As first spotted by the security news site Bleeping Computer, the FBI Cyber Division said these hackers used the strain of ransomware known as Conti to target law enforcement agencies, emergency medical services, 9-1-1 dispatch centers, and municipalities in the U.S. Ransomware is a type of malicious software that breaks into a victim’s devices and encrypts their files so cybercriminals can then extort payment in exchange for restoring access.

The FBI didn’t name specific victims of these breaches or whether ransoms were successfully extorted, saying only that these networks “are among the more than 400 organizations worldwide victimized by Conti, over 290 of which are located in the U.S.” It added that the latest ransom demands have been as high as $25 million.

The hackers that crippled the Irish health system are reportedly part of “Wizard Spider,” a sophisticated cybercrime gang based in Russia that’s been increasingly active in the past year. The group’s threatened to release patient records unless Irish authorities fork over $20 million.

For the last week, this ransomware attack has cut off access to patient records, forced medical facilities to cancel appointments, and disrupted covid-19 testing in the nation. Ireland’s minister overseeing e-government, Ossian Smyth, has called it “possibly the most significant cybercrime attack on the Irish state.”

Researchers Are Trying to Create an Unhackable Computer Processor

Illustration for article titled Researchers Are Trying to Create an Unhackable Computer Processor

Photo: THOMAS SAMSON/AFP (Getty Images)

The CPU is classically considered “the brain” of a computer because, like our own head, it contains all of the circuits responsible for receiving and executing commands. However, like the rest of a machine, CPUs are not infallible. In fact, they can be fairly easy to hack. Recent years have shown egregious examples of hardware vulnerabilities that allow for the sophisticated hijacking of machines. Most famously, researchers uncovered the security flaws “Meltdown” and “Spectre,” both of which were embedded in millions upon millions of chips, and therefore put data on a majority of the world’s computers at risk.


An academic research team at the University of Michigan is currently working on a way to stop these sorts of attacks from taking place, according to IEEE Spectrum. Led by computer scientist Todd Austin, the team is working on creating a new CPU design, dubbed “Morpheus,” that is basically hack-proof. Well, sorta. The new machine would hopefully stop a large percentage of attacks, said Austin in a recent interview with the publication.

In fact, recent testing of the machine showed that its defenses work phenomenally well. During a recent virtual bug bounty program sponsored by DARPA (the Defense Advanced Research Project’s Agency), a veritable army of 580 White Hat hackers spent 13,000 hours attempting to permeate its defenses and all were unsuccessful, IEEE reports. Austin describes his team’s creation this way:

Morpheus is a secure CPU that was designed at the University of Michigan by a group of graduate students and some faculty. It makes the computer into a puzzle that happens to compute. Our idea was that if we could make it really hard to make any exploit work on it, then we wouldn’t have to worry about individual exploits. We just would essentially make it so mind bogglingly terrible to understand that the attackers would be discouraged from attacking this particular target.

So how, exactly, does Morpheus block attackers? The short answer is encryption. Austin says his team is using a cipher, an algorithm that initiates encryption and decryption, called “Simon.” In this case, whatever Simon says, goes: it can “make the underlying implementation of the machine [i.e., the CPU]—the undefined semantics—change every few hundred milliseconds.” In other words, it constantly encrypts parts of the machine’s functions to obscure how it works, thus blocking potential hackers from being able to exploit it. In effect, this reconfigures “key bits” of the chip’s “code and data dozens of times per second, turning any vulnerabilities into dead ends for hackers,” according to the school’s engineering department. Austin put it this way:

The way we do it is actually very simple: We just encrypt stuff. We take pointers—references to locations in memory—and we encrypt them. That puts 128 bits of randomness in our pointers. Now, if you want to figure out pointers, you’ve got to solve that problem…When you encrypt a pointer, you change how pointers are represented; you change what the layout of the address space is from the perspective of the attacker; you change what it means to add a value to a pointer.

So… that makes sense? While this encryption shield doesn’t stop things like SQL injections or more sophisticated attacks, it does prevent what Austin says are “low-level attacks,” or remote-code execution attacks (RCEs)—whereby bad actors can insert malicious programs into a machine via security flaws apparent in its programming. By obscuring how that programming functions, Morpheus is taking away much of the opportunity for such attacks to occur.

While all of this may fly over most people’s heads, the basic point is that in the not-too-distant future, we may have machines that are virtually impervious to your run-of-the-mill hardware exploits. With the cyber-maelstrom that’s been going on in the U.S. and the world lately, I think that’s something we can all get on board with.