The EA Breach: Social Engineering, Not Ransomware

In our latest white paper we talk about the evolution of ransomware and the growing threat of data leakage. While the EA breach is certainly an example of data leakage, the cyber attack was not ransomware related. Instead, it was a case of purchased Slack cookies and subsequent social engineering.

According to the hackers, the process began with the purchase of stolen cookies being sold online for $10 and then using those to gain access to a Slack channel used by EA.

From there, social engineering took over:

  • Once inside the chat, the hackers messaged IT Support and explained they’ve lost their phone, and requested a multifactor authentication token - which worked, two times.

  • Once inside EA's network, the hackers found a service for EA developers for compiling games.
    • EA confirmed to Motherboard the contours of the description of the breach given by the hackers.

    • According to EA: “No player data was accessed, and we have no reason to believe there is any risk to player privacy.”

  • The hackers also provided Motherboard with a series of documents they say were stolen as part of the hack. They include material on PlayStation VR.

EA Breach Activity on the Dark Web

Some threat-actor storytelling, from IntSights research:

  • Leakbook is the user who published the EA breach on RAIDFORUMS,

  • KickAss_Forum is the user who published the EA breach on Exploit.IN

  • Leakbook is also the user who published the KickAss comeback notification on RAIDFORUMS

  • Leakbook also published a post about selling a full backup (24GB) of one of the biggest e-commerce markets in the UK

  • Looks like Leakbook is KickAss_Forum, the possible namesake for the famous cybercrime forum “KickAss” moderator, which was relaunched a few months back after an offline period.

And here is the chronology of the data publications:

  • RAID FORUMS - English
    June 6, 10:01 (Israel time)
    Author: Leakbook

  • Exploit.IN - Russian
    June 6, 12:20 (Israel time)
    Author: KickAss_Forum

What Cyber Threat Intelligence Tells Us

Digital Browser Identities have been sold on the dark web for some time now. Since 2019, IntSights has seen this type of market on the rise; as of today there are far more “identities marketplaces” than before.

The act of purchasing an “identity package” and wearing full disguise of a specific user, including all of its financial accounts, social media profiles, and as seen in the EA use case, organizational apps, can be achieved with as little as $10 and several easy-to-access-and-use hacker tools. Furthermore, buyers in these identities markets can even target specific apps and specific types of cookies and tokens in order to conduct surgical-level attacks on organizations, infiltrate networks and fulfill their nefarious intentions.

These digital identity packages originate, amongst other hacking collection methods, from info stealers. Information Stealer is a type of malware that is designed to gather information from a system, mainly an endpoint PC or mobile device. The most common forms of info stealers gather login information, like usernames and passwords, and other "autofill" data, and send it back to the operation operator. Other forms of info stealers have also been known to focus on financial and personal data.

Operators of identities markets are also administering their own info stealers operations. Use cases include using the malware as a botnet or as a backdoor opener in ransomware attacks. In some cases, they’re simply buying for a dollar and selling for two. Learn more about these activities in the “Evolving Ransomware Threat” white paper.

In summary, the bigger your organization, the bigger your attack surface area. Multiple communication applications, task management solutions and employees can create real fertile grounds for attackers, especially when it comes to digital-identities theft. And as they say: Defenders need to be on the lookout always; attackers only need to get in once.

Stay up to Date!

Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.