It seems that the cyber attack that compromised the systems of Polish game developer and publisher CD Projekt are having more serious consequences than initially thought.
The hack has been proven to be legitimate, with the ransomware group behind the attack already having leaked and sold some of the data they took from the servers. The full source code of Gwent, the popular virtual card game set in The Witcher universe has already been leaked, and allegedly the source code of Cyberpunk 2077 was sold in an auction.
The cyber attack was recently disclosed by CD Projekt itself. The company gave a brief description of what happened and reassured fans that no user information was compromised and that the company had no intentions to negotiate with the attackers. The ransom note left by the group was also shared, which claimed that source codes for Cyberpunk 2077, Gwent, The Witcher 3: Wild Hunt and an unreleased version of The Witcher 3 were all lifted from the servers, alongside a number of financial and legal documents. The note threatened the company with selling and leaking the data if an agreement wasn't reached.
It seems both sides made good on their promise - CDPR did not contact the attackers, and the attackers began selling and leaking code. The group started an online auction for the Cyberpunk 2077 source code, with an initial price of $1 million and a buyout option for $7 million on a Russian hacking forum. They soon shut down the auction, claiming to have received a satisfactory offer from elsewhere. It is not clear who bought the source code, and for how much. It was revealed, however, that whoever purchased the code did so with the condition of "no further distribution or selling".
This was preceded by an 'open' leak one day prior when download links to an archive called "CDProject Leak #1" were posted on various hacking forums, containing the full source code of Gwent. While these links have since been disabled, many users have downloaded the contents worldwide. These include some cyber security firms and publications, including CyberNews.
CyberNews was able to determine based on included metadata that the code was lifted from the CDPR servers a full two days before the company became aware of the breach. The hackers included a readme file with information about the next leak, which would be tied to an auction.
While it isn't clear whether the reports of a sale are true - it may just be the hackers trying to inflate the value of subsequent auctions by making it look like there are wealthy interested parties already - this cyber attack is nonetheless sending big waves through the cyber security community. The identity of those who pulled it off is a major question, and Emisoft chief technology officer Fabian Wosar believes they have identified the group responsible.
The amount of people that are thinking this was done by a disgruntled gamer is laughable. Judging by the ransom note that was shared, this was done by a ransomware group we track as "HelloKitty". This has nothing to do with disgruntled gamers and is just your average ransomware. https://t.co/RYJOxWc5mZ
— Fabian Wosar (@fwosar) February 9, 2021
As of now, Gwent and Cyberpunk 2077 have been leaked, but the hackers are still sitting on two versions of The Witcher 3 as well as legal, financial and HR documents. It isn't clear what will be the fate of these documents, but we'd guess that they will be put to auction in the coming days as well. CD Projekt Red stated that relevant authorities and experts were contacted when they announced the attack, but no updates on the investigation have been given since.
This damaging cyber attack comes after a string of other misfortunes which was kicked off with the launch of Cyberpunk 2077. After multiple delays, the highly anticipated title was faced with major criticism at launch due to performance issues and game breaking bugs. The state of the title led to one class action lawsuit, the delay of the free DLC program and a sharp drop in the stock price of CD Projekt. This was followed by another game breaking bug being introduced by one of the patches intended to whip the game into shape, and the announcement of a security vulnerability that rendered mods dangerous to use - merely a week after the release of official modding tools.
Alongside a lawsuit, controversy and poor Cyberpunk 2077 sales on console, CD Projekt Red now also needs to deal with this security breach. Hopefully those responsible for the attack will be caught and persecuted to the fullest extent of the law.