Incident Name: Riot Games Jan 2023
Date of Incident: January 20th, 2023
Summary: Riot Games is an American video game developer and publisher, most famous for the games League of Legends and Valorant. The company reported on January 20th via their Twitter page that their development environment had been compromised in a social engineering attack. They do not believe player data or personal information was compromised. However, as a result of this attack, the company is unable to release content, which will impact their future patching release cycles for their popular games. Further details on the attackers’ methods and Riot Games’ response to this hack will be released by Riot Games in the future.
24/01/2022 Update: On January 24th, Riot Games released an update and stated that the attacker had managed to exfiltrate source code for their games League of Legends, Teamfight Tactics, and a legacy anti-cheat platform. The company confirmed that while no personal data was compromised in this attack, the source code breach would impact future releases and increase the likelihood of cheats emerging in the game. The company also revealed that they had received a $10 million ransom demand from the hacker. The online magazine Motherboard obtained a copy of this ransom note from the Telegram channel the hacker set up to communicate with Riot Games employees. In the note, the hacker provides proof that they have the source code and states that if the ransom is paid, they will delete all data from their servers and provide information on how they were able to breach Riot Games. The company, however, is refusing to pay the ransom.
25/01/2022 Update: On the January 25th, VX-Underground posted on Twitter that they had spoken with the individual responsible who revealed how the breach happened. The hacker stated that that they socially engineered a Riot Games employee via SMS in order to gain access to the company’s network.
Potential Key Social Engineering/OSINT Themes:
- Recon – Riot Games employee information harvested. The hacker leveraged an exposed employee phone number to conduct a social engineering attack.
- Smishing – In this form of attack, the attacker sends a phishing SMS message to the target which prompts them to click on a malicious URL that looks like a legitimate domain. Once the user clicks, they are prompted to enter their valid credentials which the hacker can then use to gain unauthorized access.
Note: We have made assumptions based on information currently available and official confirmation from Riot Games on how the attack unfolded is required.
- User social engineering awareness training
- Identify and block newly registered domains similar to your org’s. This way if used in an attack (e.g., user clicking), the request to domain is blocked.
- Monitor for expiring domains which could be leveraged for the above.
- Securely configure MFA on all accounts, using physical FIDO2 compliant tokens as another factor of authentication where possible.
- Regularly review any external facing components to understand exposure. Allow those that are trusted, remove those that are not, and ensure MFA is securely configured for all accounts.
- Ensure DNS DMARC settings are enforced to mitigate against impersonation attacks either on yourself or against a trusted 3rd party.
- Regularly audit employee access to one of least privilege (including offboarding).
- Regularly audit 3rd party access to one of least privilege.
- Monitor and remove sensitive information disclosure.
Industry: Video Games
Motivations: Financial Gain
- Rockstar 2022
- 2k Games
Breach Notice/Company Notice:
- Other Sources https://securityaffairs.com/141171/cyber-crime/riot-games-hacked.html