CD Projekt Red has revealed its servers were compromised in a targeted cyber attack, but even the hacker seems to acknowledge there isn’t much to accomplish.
If you’re new here, you might enjoy our companion podcast, GameDev Breakdown!
In a tweet just over 12 hours ago, CD Projekt Red notified followers that some of its network devices had been maliciously encrypted in a security breach. While CDPR does not believe player data has been compromised, it acknowledges that data belonging to CD PROJEKT capital group has been collected.
The full text reads:
“Yesterday we discovered that we have become a victim of a targeted cyber attack, due to which some of our internal systems have been compromised.
An unidentified actor gained unauthorized access to our internal network, collected certain data belonging to CD PROJEKT capital group, and left a ransom note the content of which we release to the public. Although some devices in our network have been encrypted, our backups remain intact. We have already secured our IT infrastructure and begun restoring the data.
We will not give in to the demands nor negotiate with the actor, being aware that this may eventually lead to the release of the compromised data. We are taking necessary steps to mitigate the consequences of such a release, in particular by approaching any parties that may be affected due to the breach.
We are still investigating the incident, however at this time we can confirm that — to our best knowledge — the compromised systems did not contain any personal data of our players or users of our services.
We have alread approached the relevant authorities, including law enforcement and the President of the Personal Data Protection Office, as well as IT forensic specialists, and we will closely cooperate with them in order to fully investigate this incident.”
The ransom note, found in a file titled “read_me_unlock” contained the following:
“Hello CD PROJEKT
Your have been EPICALLY pwned!!
We have dumped FULL copies of the source codes from your Perforce server for Cyberpunk 2077, Witcher 3, Gwent and the unreleased version of Witcher 3!!!
We have also dumped all of your documents relating to accounting, administration, legal, HR, investor relations and more!
Also, we have encrypted all of your servers, but we understand that you can most likely recover from backups.
If we will not come to an agreement, then your source codes will be sold or leaked online and your documents will be sent to our contacts in gaming journalism. Your public image will go down the shitter even more and people will see how you shitty your company functions. Investors will lose trust in your company and the stock will dive even lower!
You have 48 hours to contact us.”
CDPR stated in the announcement it will extend no offering to the hacker(s) and will not attempt to negotiate. While some companies do actually make payments for decryption keys–and some even get them–this is not a surprise. Paying a hacker never provides a guaranteed solution to a breach, and some government agencies are even moving to make it illegal to do so. CDPR didn’t reveal what exactly the hacker wants (or how the parties are supposed to communicate), but it seems clear there won’t be an exchange. This directs all attention to the leverage the hacker claims to have and the actions threatened for later this week.
The first prize the hacker mentions is a full copy of CDPR’s source code repositories, fresh from its Perforce server. This may include the full source code for the just-released Cyberpunk 2077, The Witcher 3 (and an unreleased version?), and Gwent. While this server may be included in those the hacker encrypted, said hacker is quick to acknowledge that CDPR will undoubtedly just restore it from backups, likely resulting in little damage. In fact, the biggest realistic impact of the source code leak would simply be embarrassment to the company. Nintendo suffered what was arguably a much more interesting leak last year resulting in the release of secrets held for decades and, while fans were thrilled to poke around in files not meant for them, many preservationists don’t even want to touch it. The hacker’s phrasing, “sold or leaked online,” seems to let on that they realize bringing in a payday for the stolen code is unlikely.
Next up: the hacker claims to have grabbed “all of [CDPR’s] documents relating to accounting, administration, legal, HR, investor relations, and more.” While this naturally bears potential for more embarrassment, it would be a hell of a lot scarier at a studio that wasn’t already recovering from scores of employees talking to press and content creators and gearing up to defend against several lawsuits, during which even more unflattering details will come to light. Make no mistake–we’ll get plenty of jaw-dropping quotes and snippets if these documents are leaked, but the hacker is threatening a D- reputation with an F.
Within 48 hours, the hacker vows to leak CDPR’s source code before sending internal documents to their “contacts in gaming journalism.” The latter point is an odd flex. No shortage of journalists would jump to receive leaked documents–you don’t need to be old college buddies with Jason Schreier or anything. CDPR’s public image will “go down the shitter even more and people will see how [their] shitty company functions,” the hacker says. “Investors will lose trust in [their] company and the stock will dive even lower!” The point about investors seems ineffective in light of the suit they’ve already filed against the studio.
Ultimately, the CDPR hack seems more like the wrath of one or more Cyberpunk pre-orderers than a money grab by career scammers. Whatever the case, it’s going to be an interesting couple of days around the web.