Threat actor Lapsus$ is now seemingly responsible for hacking gaming giant Rockstar Games after targeting mega-brands like Microsoft, Cisco, Samsung, Nvidia, Okta and probably Uber.
An account operating name ‘teapotuberhacker’ posted on GTAForums around 90 videos of what appeared to be in-development footage of the upcoming Rockstar Games installment, Grand Theft Auto 6 – that the publisher confirmed it was working on earlier this year.
The videos, which totaled around 50 minutes of footage, included short clips of animation tests to more detailed animation scenes. They were then widely shared on social media.
After posting the alleged in-development footage on September 18, 2022, teapotuberhacker left a message claiming they wanted to “negotiate a deal” with the game publisher to return unreleased data, including the source code for Grand Theft Auto 5 and the in-development version of Grand Theft Auto 6.
“This is not the first case where a cyber-criminal group has stolen an organization’s source code, with both LastPass and Midea Group suffering a similar fate in the last month. Source code is part of a company’s intellectual property and therefore holds massive value to cyber criminals. It can be used to find hidden security vulnerabilities and launch further attacks on a business,” Sam Linford, VP of EMEA Channels at Deep Instinct, told Infosecurity.
However, in a message to Infosecurity on September 19, Craig McDonald, VP of Product Management at BackBox, insisted that at present, “it is still unclear if the attacker gained access to data beyond the video clips that were posted.”
Rockstar Games and its parent company, Take-Two Interactive, acknowledged the leak on September 19, 2022.
In a statement posted to Twitter, Rockstar said: “We recently suffered a network intrusion in which an unauthorized third party illegally accessed and downloaded confidential information from our systems, including early development footage for the next Grand Theft Auto. At this time, we do not anticipate any disruption to our live game services nor any long-term effect on the development of our ongoing projects. [..] Our work on the next Grand Theft Auto game will continue as planned, and we […] will update everyone again soon and, of course, will properly introduce you to this next game when it is ready.”
Take-Two has issued takedown notices to GTAForums and social media accounts, including YouTube and the GTA subreddit. The original GTAForums thread started by teapotuberhacker was removed, then relaunched with all links and GTA 6 details removed, reported The Guardian.
Lapsus$ gang buoyant in recent months
It appears that teapotuberhacker gained administrative access to the Rockstar Games internal network after an employee clicked on a malicious email. The threat actor was then able to download the videos from the staff members’ Slack channels – a similar method was used in a recent Uber data breach, which teapotuberhacker also claimed responsibility for.
In a September 19 update, Uber said the culprit could be linked with the Lapsus$ hacking gang that has been particularly active recently, reportedly targeting tech companies such as Microsoft, Cisco, Samsung, Nvidia and Okta.
“This cyber-attack should serve as the catalyst to change mindsets and attitudes towards cybersecurity,” said Linford, “Breaches like this show us that it is more important than ever to implement preventative measures: evaluate cyber-secure strategy and policies, accurately estimate, and quantify the impacts of a cyber-attack and the impact on the organization in the case of data leak and prioritize the protection of data. Organizations need to take preventive measures that stop cyber-attacks before they breach the network. Businesses need a line of defense which can stop these attacks before they have time to execute, let alone steal data.”
Meanwhile, McDonald added, “To be secure, all the infrastructure devices in an organization’s network must have the latest operating systems and patches and be configured in compliance with internal security policies as well as government and industry regulations.
Unfortunately, these preventative measures often take a back seat to more pressing network management tasks, McDonals said.
"Companies should invest in network security automation to ensure a continuous motion for upgrades and patches. Implementing a baseline for proper automation will ensure that these tasks are running consistently and reliably and can deter future data-compromising attacks from accessing critical and confidential information," McDonald concluded.