Epic Games hacked by STORMOUS Claims Source Code Stolen

[Evadingfate]

Summary

 STORMOUS ransomware group claims to have breached Epic Games, the creator of the Unreal Engine and Fortnite.

 

Quotes

Quote

 On March 7 Stormous Group found a vulnerability in the company's internal network that resulted in the processing of 199 gigabytes of master data.

 

My thoughts

Another massive data breach in the wake of the invasion of Ukraine. The Stormous group has been quoted to be in support of Russia in other online articles adding to the narrative that this attack is in response to such events. At this time Epic Games has not acknowledged the breach.

 

Sources

https://twitter.com/darktracer_int/status/1501662062438612992

 

[sub68]

I just intalled epic games today for genshin

[PokestarFan]

1 minute ago, sub68 said:

I just intalled epic games today for genshin

You don't need to, can't you just use Genshin's native launcher?

[sub68]

1 minute ago, PokestarFan said:

You don't need to, can't you just use Genshin's native launcher?

yes but.....

[PokestarFan]

1 minute ago, sub68 said:

yes but.....

I mean if you use epic games only for genshin it's pointless. If you use it for other stuff then it's fine

[sub68]

Just now, PokestarFan said:

I mean if you use epic games only for genshin it's pointless. If you use it for other stuff then it's fine

I am using it for fortnite with my brother and friends cause its the only decent crossplatform game

[Thaldor]

Oh wow, such skilled hackers, managing to get the source code of the Unreal Engine. Wow. Such skill and achievement.

 

The user data is quite critical at least if it includes the passwords and isn't protected or the protection is cracked.

 

But seriously? They claim they managed to get the Unreal Engine source code?

 

[Note to people not knowing and not noticing my sarcasm: You can get the current Unreal Engine source code from Epics GitHub by simply connecting your EGS account to GitHub, you can also get the same source code in working order by simply installing Unreal Engine Editor.]

[SeriousDad69]

Hope they got the source code for the Epic Games Launcher and Fortnite, I want to know how hard they're data mining people.

[Quackers101]

Do hope it's not critical.

so that they run malicious code in MP titles run on the unreal engine.

Do not want more places to ruin, already hard to get hardware.

 

Or to get into the online service for new titles, etc etc. or attacking the EG platform.

[Master Disaster]

IIRC I actually do gave an EGS account, luckily for me I'm not an idiot and use a very secure and different password on all my online service accounts (thanks BirWarden).

[Video Beagle]

11 hours ago, Thaldor said:

[Note to people not knowing and not noticing my sarcasm: You can get the current Unreal Engine source code from Epics GitHub by simply connecting your EGS account to GitHub...

 

Thanks for answering what I was gonna ask. I was like "...uhm, I'm pretty sure the game developers I work with have the source code...and didn't I get it as the prize in that crackerjack box I got last week?"

 

....do they still make crackerjack? Man, I'd dig some crackerjack right now....and anyone ever notice that "crackerjack" is a weird word?

[Kisai]

12 hours ago, Thaldor said:

Oh wow, such skilled hackers, managing to get the source code of the Unreal Engine. Wow. Such skill and achievement.

 

The user data is quite critical at least if it includes the passwords and isn't protected or the protection is cracked.

 

But seriously? They claim they managed to get the Unreal Engine source code?

 

[Note to people not knowing and not noticing my sarcasm: You can get the current Unreal Engine source code from Epics GitHub by simply connecting your EGS account to GitHub, you can also get the same source code in working order by simply installing Unreal Engine Editor.]

Maybe they got some bleeding edge build. I can't imagine there being anything valuable that isn't public other than the Nintendo/Sony SDK's needed to build for those platforms.

[Quackers101]

1 hour ago, Kisai said:

Maybe they got some bleeding edge build.

just hope it doesn't have anything to do with stuff around unreal engine. As then it could be a concern for online titles depending on what they got and what they were able to get. or if it's just code that doesn't mean anything.

[Thaldor]

2 hours ago, Kisai said:

Maybe they got some bleeding edge build. I can't imagine there being anything valuable that isn't public other than the Nintendo/Sony SDK's needed to build for those platforms.

The bleeding edge is UE5 which got the Preview 2 out just couple days ago.

 

Also whatever they stole would have the problem of how to use it, like lets say they got some private PS5 SDK that is only meant for Epic and has some neat features that aren't included in the public Prospero (PS5) SDK (which newest version ships with UE5 Preview 2 and anything above that you would need to hack Sony or get the PS5 DK), where do you expect to use it without Sony spotting it 100 miles away under a nanosecond when you release something?

 

Things would be different if we were talking about Snowflake Engine or some other in-house engine that isn't publicly available. But we are talking about one of the most publicly available game engines which has even went the one step forward and brought the still heavily under development being version out so anyone with EGS can download and start playing with. There isn't much that isn't publicly available and what isn't is probably either so special no one can use it, so unstable no one can use it and the time it takes to utilize it would probably be longer than it takes for it to become in the public stable build.

Also who do they think could profit from them making some unreleased UE version available? It's not like any AAA company that could pay them whatever they want for it couldn't just call Epic and get it and the competition (Unity3D) isn't probably interested about it because that would be way too hot stuff to have around and most likely it will be in the public build sooner or later and they will dig into it then. 3rd party stuff is the same, there really isn't a company that would profit from paying some hacker group for unpublished Prospero (PS5), Orbis (PS4), GDK (Xbox/Windows), Switch/NEX SDK version because they can either call the company and get it there or it's pretty much unusable because it's use as is would be noticed and the competition has already dug so deep there isn't really anything too surprising in some yet unreleased version.

And you kind of would need to be special kind of stupid to use something like unlicensed copy of Prospero SDK to make PS5 game and offer your game to Sony for PS5 release.

[da na]

So...

Time to change my email address and password again?

[Taf the Ghost]

My first thought was "Oh, someone has EGS source code? Well, that's useless." lol

 

There's definitely a big CVE that's going to drop in a few months. There's clearly a big, deep-in-the-network-stack vulnerability right now.

[Mark Kaine]

So no news from epic? shouldn't they tell people when their emails/passwords were compromised/stolen? 

[HarryNyquist]

5 minutes ago, Mark Kaine said:

So no news from epic? shouldn't they tell people when their emails/passwords were compromised/stolen? 

It's likely Epic wants to confirm it themselves before alarming anyone. Not smart IMO, but whatever.

 

29 minutes ago, Taf the Ghost said:

There's definitely a big CVE that's going to drop in a few months. There's clearly a big, deep-in-the-network-stack vulnerability right now.

My money is on a backdoor that only "authorized personnel" are supposed to use, similar to the TSA Approved locks on luggage that only the TSA is supposed to have keys for but you can easily find online.

[Taf the Ghost]

41 minutes ago, HarryNyquist said:

It's likely Epic wants to confirm it themselves before alarming anyone. Not smart IMO, but whatever.

 

My money is on a backdoor that only "authorized personnel" are supposed to use, similar to the TSA Approved locks on luggage that only the TSA is supposed to have keys for but you can easily find online.

Yeah, there's too much "clearly they had access at Admin Privileges in a subdomain" big hacks happening. We'll know when some mid-9 Cisco or Apache CVE drops in a couple of months.

[Master Disaster]

2 hours ago, Taf the Ghost said:

My first thought was "Oh, someone has EGS source code? Well, that's useless." lol

 

There's definitely a big CVE that's going to drop in a few months. There's clearly a big, deep-in-the-network-stack vulnerability right now.

Unless some networking gear has onSoC backdoors?

 

Was gonna make a joke about Trump being right, decided it was probably a bad idea

[Taf the Ghost]

4 hours ago, Master Disaster said:

Unless some networking gear has onSoC backdoors?

 

Was gonna make a joke about Trump being right, decided it was probably a bad idea

It should be noted that the Hardware Lock stuff that has come around is actually about keeping the NSA out. But, that's story for a different time.

[Thaldor]

11 hours ago, Quackers101 said:

just hope it doesn't have anything to do with stuff around unreal engine. As then it could be a concern for online titles depending on what they got and what they were able to get. or if it's just code that doesn't mean anything.

Just more as a note than comment.

 

While Unreal Engine does include certain technologies that makes it possible to do online multiplayer game out of the box, they are all in the core already and anyone can get the source code and do whatever they want with them. They are pretty basic and more as "proof of concept" than something someone should actually use as there is multiplayer plugins which are a lot better than those delivered with the UE. They also need configuring and anyone building them in with default config (which often doesn't work except in local network as is) is basicly digging blood from their nose, same as putting LInux server online without doing any security configs. Every AAA title using UE and having online multiplayer more or less run in-house network system because it's not that hard to develop and making it not only provides the optimization wanted but also the security needed.

 

So for someone to start hacking something like Fortnite through holes found in the source code, they would need to get the Fortnite source code, not just Unreal Engine (that anyone with EGS installed can install and start digging the source code through with couple clicks). Most likely they also run a lot of what actually runs the game in the server so what someone actually would need is the Fortnite server source code (not client source code) and even then there's probably more than couple safeguards so it would really take something to manage to build program that could hack something like Fortnite from the client side.

[And considering they are celebrating getting Unreal Engines source code, I don't think they have the needed skill level to hack online multiplayer game made by modern standards through the client even with the actual games source code]

[Mark Kaine]

On 3/10/2022 at 3:00 PM, HarryNyquist said:

It's likely Epic wants to confirm it themselves before alarming anyone. Not smart IMO, but whatever.

So still nothing official?

[SansVarnic]

-= Moved to General Discussion =-

Topic doesn't meet posting guidelines.

Quote

• Your thread must include a link to at least one reputable source. Most of the time, this should be a respected news site.

Twitter is not a reputable news source.