Grand Theft Auto Online on mobile phone screen showing cyber attack and GTA6 leak

Rockstar GTA6 Leak Came From Cyber Attack That Breached Internal Slack Channel

Game developer Rockstar has been preparing the next title in its popular “Grand Theft Auto” video game series for the better part of a decade, nearly as long as it has been since the last title in the series was released. The forthcoming Grand Theft Auto 6 (GTA6) was not expected to be released until at least 2024, but a cyber attack has given the public a major sneak preview that Rockstar was not prepared for. The GTA6 leak contains development videos of various aspects of the game being tested, and the hacker claims that they are also sitting on stolen source code.

GTA6 leak shows early build of game to public; hacker claims to have stolen source code

The first signs of the GTA6 leak appeared on the website GTAForums, the largest discussion forum for fans of the series, on September 18. A user by the name of “teapotuberhacker” began posting what would eventually be a set of 90 videos showing almost a combined hour of development footage from an early build of the game. But it soon became clear that the user was doing more than just showing off; they claimed to have obtained the videos from a cyber attack that breached a Rockstar employee Slack channel, and that they had also obtained the early source code for GTA6 as well as the full source code for prior title GTA5. The hacker said that they wanted to negotiate a payment from Rockstar for return of this stolen code.

Despite being rough test clips, the videos nevertheless were of a level of detail that would be extremely difficult to fake. Rockstar acknowledged that the GTA6 leak was authentic shortly after the clips appeared, but has been busily issuing copyright strikes to get them taken down when they are posted on sites such as YouTube and Twitter.

The cyber attack on the Slack channel apparently led the hacker to direct downloads of all of these video clips. This mirrors the recent cyber attack on Uber to some degree, with the attacker first compromising employee VPN credentials and then popping into the Slack channel to announce their presence. However, the Rockstar hacker does not appear to have had anything like the level of total administrative access that the Uber hacker lucked into.

There are also questions as to whether the hacker ever really had access to the source code. Rockstar’s Tom Henderson took to Twitter to advise users that the GTA6 leaker would not have been able to access any kind of source code solely from the employee Slack channel. The hacker has responded to queries by posting specific snippets of code requested by GTA5 modders that explain certain previously obfuscated functions; though the hacker has only posted a relatively small amount, this code does appear to be authentic. However, they have yet to post similar code confirming that they have access to GTA6.

The source code would not put the content of the game at any risk, as it is in such an early and rough state and clearly lacking most of the assets and structure that will be in the final version. However, it could give hackers a road map for exploiting the game. A well-designed online game will generally not give hackers a path into user systems with any kind of privileged access, but in-game pranksters will likely have a field day with the experience to the point that it might drive players away and impact sales. Financially motivated hackers might also use the source code to develop ways to take over user accounts or steal items from them. The source code for GTA5 might also provide some insights of this nature into the workings of GTA Online, which was developed as a companion game that shares some code and assets.

Craig McDonald, VP of Product Management at BackBox, notes that there are still gaps in this story and that more information could emerge: “Although Rockstar has informed the press that the intrusion will not have any long-term effect on game development, it is still unclear if the attacker gained access to data beyond the video clips that were posted. To be secure, all the infrastructure devices in an organization’s network must have the latest operating systems and patches, and be configured in compliance with internal security policies as well as government and industry regulations. Preventative measures like that often take a back seat to more pressing network management tasks, so companies should invest in network security automation to ensure a continuous motion for upgrades and patches. Implementing a baseline for proper automation will ensure that these tasks are running consistently and reliably, and can deter future data-compromising attacks from accessing critical and confidential information.”

Rockstar cyber attack highlights importance of protecting employee VPN credentials, Slack logins

Though the GTA6 leaker did not obtain the same level of access to Rockstar’s systems, it may have been the same party that recently broke into Uber. While Rockstar has not pointed any fingers as of yet, Uber has stated that it believes the hacker of both companies is a familiar face responsible for a string of cyber attacks on big tech names in the past year.

Based on its internal investigation, Uber has pointed the finger at the Lapsus$ group, which has previously been identified as a group of mostly teenagers from the United Kingdom and Brazil. That group has been active since 2021 and has hit a number of other major companies: Microsoft, Samsung, Nvidia, Ubisoft and T-Mobile among them. A wave of arrests were made in the UK in April 2022, including the alleged “mastermind” of the group, but the Brazilian component of the group (including the “super hacker” most responsible for the high-profile break-ins) is thought to still be at large and active. And most of the UK component remains out of jail as they are being investigated, though supposedly under supervision.

Given similarities in the cyber attacks, Uber thinks Rockstar was hit by Lapsus$ as well. And the hacker seemed to confirm this, posting that they were responsible for both break-ins. If it was the same party, it is likely they used the same “MFA fatigue” approach to compromise an employee’s credentials. In the case of Uber, the hacker was lucky enough to stumble into admin credentials for essentially the entire network sitting in a PowerShell script in plaintext; it does not look like they were as lucky with the GTA6 leak.

According to Yana Blachman, Threat Intelligence Specialist at Venafi: “With the Lapsus$ cybercrime group having been responsible for breaches at Nvidia, Microsoft and Samsung over the last year, these recent attacks on Uber and Rockstar shows that it has an appetite for Big Tech companies and should be a warning to the entire industry. Despite the group being relatively young, its list of victims is starting to read like a “who’s who” of the tech industry. In the past – such as the Samsung breach – its attacks have been characterized by the use of stolen code-signed certificates. These are real crown jewels for hackers, as they allow malicious files to masquerade as legitimate. If organizations do not properly secure the process and the infrastructure for managing code signing certificates, the likelihood of abuse, as well as the impact of any compromise, are both extremely high.”

Confirmed #cyberattack on Rockstar led to the GTA6 leak of in-game videos via internal Slack channel. The #hacker claims that they are also sitting on stolen source code and asking for a ransom. #cybersecurity #respectdataClick to Tweet

The FBI is now investigating both the GTA6 leak and the Uber cyber attack, and is reportedly in “close coordination” with both companies.