EA Games was recently the victim of a compromise in which some of their highly valuable source code for current and upcoming games was stolen. The interesting thing about this attack is that the initial compromise didn’t exploit a unique vulnerability or start with a common phishing attack. Instead, the breach reportedly happened through Slack.
According to an interview between the alleged malicious actors and Motherboard, the hackers gained access to the company’s Slack instance by using a stolen authentication cookie. This allowed the attackers to communicate with other EA Games employees. (The actors reportedly purchased the cookie online for $10 and used it to gain access to the EX Slack channel)
The attackers utilized Slack to contact the IT department and manipulate them into providing multi-factor authentication tokens for the EA corporate network. With that access, they were able to locate and exfiltrate 780GB of data, including the source code for FIFA 21 and the Frostbite Engine used in the Battlefield series (both of which are multi-billion dollar franchises).
What is significant about this attack
There are several key details about this attack which highlight the expanding attack surface created by the massive adoption of cloud-based applications that bad actors are now exploiting:
- The primary part of the compromise happened through an internal communication application. This exemplifies why modern communication channels should be treated with the same security standards as internet-facing communication channels.
- Collaboration applications, like Slack, generally have little to no protection for social engineering or malicious links. This makes them a tempting alternative to targeting email systems, which are more commonly monitored and protected.
- This attack shows that malicious actors are using third-party communication tools as an initial vector. As email defenses have gotten better, malicious actors are starting to look at other ways of compromising a network or system.
- This attack demonstrates that lateral movement through a network using Slack is a viable option for them. Over the past year, actors have become more creative with their utilization of non- email based messaging applications (for example the use of Slack and Telegram instances as C2s for various ransomware campaigns). We expect malicious actors to continue to innovate in their use of these channels in the future.
Guide: Learn How to Overcome the Security Challenges
of Using Slack for Your Enterprise
How to defend against this as a SafeGuard Cyber customer
With the SafeGuard Cyber platform, you can set up policies to detect when passwords or credentials are possibly getting shared on Slack. This can be used in conjunction with company policies to never share credentials on Slack or other third-party communications. If the threat actor had been forced to receive a password through a company email, the attack would have been thwarted.
Businesses can work with SafeGuard Cyber to build out custom machine learning to detect and alert on a social engineering attacks targeting their employees on internal communication channels, such as the one used in the EA attack. We start by creating policies that look for patterns frequently associated with social engineering and then tailor those policies to your company’s needs. SafeGuard Cyber will then work directly with your business to train the system to its environment. Over time, our AI Threat Cortex system becomes more accurate at identifying malicious content targeted at your employees.
The SafeGuard Cyber platform can apply consistent event detection policies that can be applied across multiple communication applications, including collaboration tools, social media, and mobile chat. Clients can enact policies, like the ones described above, to one channel, and then seamlessly apply them to any of the (number) communication applications that are protected by SafeGuard Cyber, allowing them to consolidate their security posture across several disparate channels within one solution. Businesses can request a demo to learn more on how we can protect their digital communication applications.
Storm Swendsboe is the Director of Threat Intelligence at SafeGuard Cyber.