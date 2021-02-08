F-Secure comment on CD Projekt Red breach...

February 2021 by F-Secure

Following the news that Cyberpunk 2077 and The Witcher 3 developer, CD Projekt Red, revealed that its internal systems have been compromised, the following spokespeople from F-Secure comment:

Calvin Gan, Senior Manager, Tactical Defence Unit, F-Secure

“CDPR has done a good job in being transparent, where the statement was published almost immediately after discovering the breach. Transparency is key in demotivating attackers from having an upper hand in the negotiation process since the public already knows about the breach and is expecting further updates.

While it remains to be seen how their internal systems were breached, the lesson from this breach is a good reminder to all organizations out there. It is always better to assume and operate in the mindset of “when you will be targeted” rather than “if you will be targeted”. Organizations should work towards reducing the attack surface continuously, not just as a one-time effort.

CDPR indicated they are already in the process of restoring from backups. That is a good sign where they probably have routinely tested their backup and is something organizations should also practice doing. Organizations must have a response plan in place ready to take effect when needed, but at the same time, constantly being rehearsed so that employees are aware of their next course of action.

While it is a sad situation where large organizations such as this are being compromised, on the bright side, CDPR’s stance of not negotiating with the attacker is commendable. This perhaps would set an example to others to not give in, which may hamper the attackers operation further”.

Bert Steppé, Researcher, Tactical Defence Unit, F-Secure

“It looks like this is not a typical ransomware attack where data is exfiltrated before being encrypted. The attacker seems aware that CDPR is probably able to restore the encrypted data from backups. I think the real motivation is extortion and damaging the company’s image. Since the attacker’s note doesn’t look too ‘professional’, maybe it’s just an angry gamer disappointed with the Cyberpunk 2077 game?”

Antti Tuomi, Principal Security Consultant, F-Secure

“In many cases, ransom attacks might not have actually even succeeded in an attack, but are luring the target to react quickly and pay a ransom to avoid consequences. In this case, however, based on CDPR’s message, it appears they have been able to triage the case at least to the level that the breach did indeed happen and that part of their data was indeed encrypted. This lends credibility to the attack.

The difficult aspect about the data being breached is that there is no reliable way to ever ensure it won’t be published - once it has been copied, you have no means to ensure all copies are deleted even if you paid the ransom.

CDPR is doing the right thing both for themselves and their customers by acknowledging the issue and its impact as well as informing everyone about what was affected and whether individuals should be worried about their data. Also, not agreeing to pay the ransom, even if it did cause their unreleased game source and assets to be leaked, is commendable.

Finally, having a working backup system to restore from is likely a sigh of relief for them”.