Reports Uber and Rockstar incidents work of same attacker

Two highly impactful cyber attacks on ride-sharing service Uber and video game developer Rockstar Games that unfolded over the space of three days are being tentatively linked after a threat actor going by the handle teapotuberhacker claimed to be behind both incidents.

Details of the Uber incident first emerged on Thursday 15 and Friday 16 September, while the attack on Rockstar – developer of some of the most high-profile and impactful franchises in contemporary gaming – unfolded on 18 and 19 September.

Rockstar is still racing to contain the leak, which has seen approximately 50 minutes of early video footage from the upcoming Grand Theft Auto 6 game shared on the GTAForums fan site, and has since spread widely.

The leaker also claimed to have stolen additional data, including a test-build of Grand Theft Auto 6 and source code for Grand Theft Auto 6 and Grand Theft Auto 5. They appear to be demanding an unspecified pay-off from the organisation, saying, “I am looking to negotiate a deal.”

A Rockstar spokesperson said: “We recently suffered a network intrusion in which an unauthorised third-party illegally accessed and downloaded confidential information from our systems, including early development footage for the next Grand Theft Auto.

“At this time, we do not anticipate any disruption to our live game services nor any long-term effect on the development of our ongoing projects.

“We are extremely disappointed to have any details of our next game shared with you all in this way. Our work on the next Grand Theft Auto game will continue as planned and we remain as committed as ever to delivering an experience to you, our players, that truly exceeds your expectations,” they said.

“We will update everyone again soon and, of course, will properly introduce you to this next game when it is ready. We want to thank everyone for their ongoing support through this situation.”

Rockstar’s attacker is understood to have further claimed that they accessed the firm’s systems after gaining access to its Slack channel via social engineering, although this is unconfirmed. However, if accurate, it provides more evidence of a link between the two incidents.

Erfan Shadabi, a cyber security expert at comforte AG, commented: “Given that 2013’s GTA 5 is considered one of the most successful video games of all time and there’s growing fan demand for the new instalment, it is no surprise that it became a target for hackers. 

“What comes to mind when we think about security breaches is usually the stealing and selling of personal user or employee data, but this attack is slightly different. The hacker stole, through the Slack messaging platform, a lot of new gameplay-related assets which can be highly valuable on the dark web and/or highly sought after by fans on social media. When stolen data like this is published on social media, it can be almost impossible to limit the damage and reach of the data.”

“The hacker stole, through the Slack messaging platform, a lot of new gameplay-related assets... When stolen data like this is published on social media, it can be almost impossible to limit the damage and reach of the data”

Sophos principal research scientist Chester Wisniewski said the attacks felt like “reliving” the Lapsus$ cyber attacks of late 2021 and early 2022, and over the weekend, Uber did indeed attribute the breach to Lapsus$ – a gang that specialises in abusing failings in multifactor authentication (MFA) to trick employees at its victims into giving up their credentials.

An Uber spokesperson said: “We believe that this attacker or attackers are affiliated with a hacking group called Lapsus$, which has been increasingly active over the last year or so. This group typically uses similar techniques to target technology companies, and in 2022 alone has breached Microsoft, Cisco, Samsung, Nvidia and Okta, among others.

“We are in close coordination with the FBI and US Department of Justice on this matter and will continue to support their efforts.”

Sophos’s Wisniewski said social engineering was an “incredibly effective technique for initial compromise and takes advantage of the trust placed in privileged insiders”.

“Security is a system, and it needs redundancy no different than an aircraft or spaceship. You must design it to be fault tolerant. In all of these cases, it appears that gaining access as a trusted insider was enough to enable a wily criminal to wend their way through numerous systems.

“Networks must be designed to challenge a person’s identity and credentials whenever accessing a new or privileged asset,” he added.

Uber additionally provided more information gleaned from its ongoing investigation, saying the incident was down to an external contractor whose account was compromised after the attacker bought their corporate password, which was stolen in a malware attack, on the dark web.

They then repeatedly attempted to log into the contractor’s Uber account, prompting multiple MFA challenges, one of which was unfortunately accepted, giving the attacker access to other employee accounts and, from there, tools including G-Suite, Slack and more.

“Our existing security monitoring processes allowed our teams to quickly identify the issue and move to respond,” said Uber.

“The attacker accessed several internal systems, and our investigation has focused on determining whether there was any material impact. While the investigation is still ongoing, we do have some details of our current findings that we can share.

“First and foremost, we’ve not seen that the attacker accessed the production (i.e. public-facing) systems that power our apps; any user accounts; or the databases we use to store sensitive user information, like credit card numbers, user bank account info, or trip history. We also encrypt credit card information and personal health data, offering a further layer of protection.

“We reviewed our codebase and have not found that the attacker made any changes. We also have not found that the attacker accessed any customer or user data stored by our cloud providers,” the company said.

It also revealed that all the bug reports viewed by the attacker through its HackerOne bug bounty programme had already been remediated, and therefore posed no further threat.

Uber said it has already identified all compromised or potentially compromised accounts and either blocked them or forced a credential reset; disabled affected and potentially affected internal tools; rotated keys to internal services; locked down its codebase; reauthenticated employees accessing said tools and services; strengthened its MFA policy; and added further internal threat monitoring.