Recent events illustrate that the e-gaming industry—developers, publishers, esports leagues and teams, and the financial machinations behind them—are significant targets for cyberattacks, theft and cyber-criminality. Recently, U.S. law enforcement linked the Lazarus Group, which is reported to be connected to the North Korean government, to the $540 million hack of Axie Infinity (an online game). As reported by The Wall Street Journal, the U.S. Treasury Department's Office of Foreign Assets Control reported that the "Lazarus Group is the owner of the cryptocurrency address used in the hack."
Another major video game developer and publisher experienced a cyberattack reportedly resulting in the exfiltration of more than three-fourths of a terabyte of data. The exfiltrated data reportedly includes source code, software development kits and game engines. News reports indicate that the threat actors accessed the system through Slack channels, stolen authentication cookies and (apparently) a well-executed spear phishing attack to secure multifactor authentication tokens. Simultaneously, other recent reports have described malware hiding in gaming platforms through profile images, like malware injection through website favicons.
Meanwhile, esports has become big business and mainstream, with huge amounts of data and significant capital transactions. A League of Legends tournament was featured in the Netflix documentary 7 Days Out, and Sports Illustrated's July 2021 cover story was about an esports team. Even the Olympics reportedly is considering including esports.
The combination of threat actors looking toward the video game industry and the rise of esports indicates how important it is for the industry and esports platforms and leagues to increase their cybersecurity awareness. As with other technology developments, the risk is ever present to the individual, in their home, to their personal computing devices and to their financial accounts. As presently situated, the industry and esports present attractive targets to cyber threat actors. The following are a few examples of areas that need significant attention.
First, attackers may seek player or subscriber account information. Many games today—from MMORPGs and Web3-based platforms to sports and real-time strategy games, and everything in between—include online play or DLC components. For those, the publisher may be collecting significant amounts of information about the players—information with significant market value to marketers and threat actors, such as payment information, geolocation, crypto addresses, or other personal information valuable for phishing and other social engineering attacks against individuals and their employers. Recent news reports about posting social media profiles to websites for use in social engineering attacks underscore this risk.
Second, attackers could seek to use video games to deploy and execute malicious code. As seen with the methodology behind 2020's SUNBURST attack, insecure video games could be an attack vector for threat actors through malicious code injection. For video games that run on personal computers or smartphones, the malicious code could be used to access non-game data stored on the device once the malicious code has access to the device through local execution. (Given graphics needs, it may be difficult to run the game in a sandbox.) The reported profile images in gaming platform malware appears to contain code looking to see if a particular business communication platform is installed; a threat actor might seek to access confidential business information exchanged using that platform and stored on the local device.
Games offered only for play on a dedicated gaming device may still remain attractive targets. Attackers may seek to infect the device with botnet code to execute attacks on other devices or computers. Or the malware could open a back door into a closed network by executing inside the firewall and modem on a home network and delivering payloads to other devices on the local network, including computers and smartphones, without the added defenses of execution outside of the local network.
Third, attackers could discover vulnerabilities to be exploited in league esports play. As with any gaming or sports, it is important for the success of the franchise that the playing field is viewed as fair and clean and free of corruption. Esports already have anti-doping programs. If an esports team could gain access to game source code or engines, through access to stolen source codes or game engines, they may be able to develop unknown tactics to exploit logic errors in the game. This should be expected; it happens in all sports. Baseball has a long history of sign stealing and modifying game gear, and football teams have been accused of manipulating the playing surface or adjusting the air pressure in the ball. Further growth of esports requires ensuring that confidential source code and game engines are not used to exploit errors in league play. Similarly, with the increased popularity of online gambling, exploiting vulnerabilities discovered through cybersecurity incidents could be used for match fixing. Both exfiltrated exploits and match fixing could impact the further development and growth of esports.
Fourth, a high-profile esports event may be a valuable target for a disruptive attack, such as malware. If an esports league's systems were disrupted by ransomware on the eve of the finals, the league may face higher pressure to promptly pay the ransom so the finals can proceed. It is possible that esports leagues (or teams) could be viewed as better targets because, unlike hospitals and the like, threat actors may view esports as apolitical and unlikely to violate any purported "codes of conduct." Esports is not (yet) like soccer or other sports with national teams that may dissuade nation-state-affiliated threat actors from interfering.
In short, the gaming industry and esports present attractive targets to threat actors for many reasons. The backbone participants must address cybersecurity concerns seriously, and each must ensure it has a robust and established security and compliance program to reduce and mitigate potential risk and vulnerabilities.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.