The EA Breach: Social Engineering, Not Ransomware
June 14th, 2021
Subscribe to our blog and stay up to date
In our latest white paper we talk about the evolution of ransomware and the growing threat of data leakage. While the EA breach is certainly an example of data leakage, the cyber attack was not ransomware related. Instead, it was a case of purchased Slack cookies and subsequent social engineering.
According to the hackers, the process began with the purchase of stolen cookies being sold online for $10 and then using those to gain access to a Slack channel used by EA.
From there, social engineering took over:
Once inside the chat, the hackers messaged IT Support and explained they’ve lost their phone, and requested a multifactor authentication token - which worked, two times.
- Once inside EA's network, the hackers found a service for EA developers for compiling games.
EA confirmed to Motherboard the contours of the description of the breach given by the hackers.
According to EA: “No player data was accessed, and we have no reason to believe there is any risk to player privacy.”
The hackers also provided Motherboard with a series of documents they say were stolen as part of the hack. They include material on PlayStation VR.
EA Breach Activity on the Dark Web
Some threat-actor storytelling, from IntSights research:
Leakbook is the user who published the EA breach on RAIDFORUMS,
KickAss_Forum is the user who published the EA breach on Exploit.IN
Leakbook is also the user who published the KickAss comeback notification on RAIDFORUMS
Leakbook also published a post about selling a full backup (24GB) of one of the biggest e-commerce markets in the UK
Looks like Leakbook is KickAss_Forum, the possible namesake for the famous cybercrime forum “KickAss” moderator, which was relaunched a few months back after an offline period.
And here is the chronology of the data publications:
- RAID FORUMS - English
June 6, 10:01 (Israel time)
- Exploit.IN - Russian
June 6, 12:20 (Israel time)
What Cyber Threat Intelligence Tells Us
Digital Browser Identities have been sold on the dark web for some time now. Since 2019, IntSights has seen this type of market on the rise; as of today there are far more “identities marketplaces” than before.
The act of purchasing an “identity package” and wearing full disguise of a specific user, including all of its financial accounts, social media profiles, and as seen in the EA use case, organizational apps, can be achieved with as little as $10 and several easy-to-access-and-use hacker tools. Furthermore, buyers in these identities markets can even target specific apps and specific types of cookies and tokens in order to conduct surgical-level attacks on organizations, infiltrate networks and fulfill their nefarious intentions.
These digital identity packages originate, amongst other hacking collection methods, from info stealers. Information Stealer is a type of malware that is designed to gather information from a system, mainly an endpoint PC or mobile device. The most common forms of info stealers gather login information, like usernames and passwords, and other "autofill" data, and send it back to the operation operator. Other forms of info stealers have also been known to focus on financial and personal data.
Operators of identities markets are also administering their own info stealers operations. Use cases include using the malware as a botnet or as a backdoor opener in ransomware attacks. In some cases, they’re simply buying for a dollar and selling for two. Learn more about these activities in the “Evolving Ransomware Threat” white paper.
In summary, the bigger your organization, the bigger your attack surface area. Multiple communication applications, task management solutions and employees can create real fertile grounds for attackers, especially when it comes to digital-identities theft. And as they say: Defenders need to be on the lookout always; attackers only need to get in once.
Yotam Katz is a knowledge expert in operational cyber intelligence. In his current role as Product Manager at IntSights, Yotam is responsible for identifying new and significant trends and threats in the cybersecurity landscape, and adapting and developing the product accordingly. Previously he held the role of Intelligence Team Leader, leading short- and long-term research on global, sectoral, and regional cyber threat trends. Prior to IntSights, Yotam served as Lieutenant - Intelligence Corps in the Israeli Defense Forces, where he specialized in intelligence and cyber-intelligence gathering, and technological adaptation. In 2020, Yotam was presented with the Israel Defense Prize as a team leader. He was also awarded the “Life Source” award for cyber-operations in 2019, and two “Exceptional Officer” awards, one in 2018 and one in 2016.
Stay up to Date!
Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.