Four hackers have been charged by the US Department of Justice with “breaking into computer networks of prominent technology companies and the U.S. Army and stealing more than $100 million in intellectual property and other proprietary data.”
Two of the hackers, David Pokora and Sanadodeh Nesheiwat, pleaded guilty to conspiracy and face up to five years in prison along with a $250,000 fine. A fifth hacker, an Australian named SuperDaE, has not been charged but is under investigation by the Australian government.
The Department of Justice alleges a variety of crimes in the original indictment. The group of hackers accessed the networks of Epic Games, Valve, Zombie Studios, and Microsoft in 2011, 2012, and 2013, using a combination of SQL injection attacks and credentials obtained through those attacks.
From Epic, the group obtained a copy of Gears of War 3 almost a year before it was up for release. From Valve, a copy of the Call of Duty: Modern Warfare 3 multiplayer beta long before its release.
Things get a bit more interesting with Zombie and Microsoft.
Zombie Studios is a pretty small developer. Not just compared to the likes of Valve, Microsoft, and Epic, but overall they’re not a huge team. The developer, best known recently for Blacklight: Retribution and Daylight, doesn’t just develop free-to-play games. It turns out they also do contracted work for the U.S. Army. The company developed a simulator for the AH-64D Apache Helicopter, which the Department of Justice alleges was accessed and then shared.
In an interview with Kotaku, SuperDaE states that “everyone had access to the Zombie and US Army VPN tunnel, however, the access level of accounts were ‘unclassified.’
The document also says that the hackers allegedly accessed Microsoft, obtaining – according to one of the hackers, Pokora – access to 16,000 developer accounts on Microsoft’s Game Developer Network. SuperDaE used some of those credentials to access Microsoft developer sites, allowing him to leak to Kotaku the early Xbox One (then called Durango) information, including Kinect 2 data. SuperDaE and Pokora also planned, according to the document, to assemble and sell devkits built from off-the-shelf parts bought online. An FBI agent apparently intercepted the first one in August 2012.
SuperDaE, for his part, told Kotaku that the group was unorganized and, as things fell apart, there were lies and betrayals, suggesting that not everything Pokora and Nesheiwat has said (or at least what the Department of Justice is reporting) is entirely true. For example, the intent to profit off the information obtained.
“If we really wanted to be blackhat [referring to more malicious hacking] and make money, we could have but we didn’t. Otherwise I’d have left long ago and would’ve moved to Belize or somewhere nice,” SuperDaE said.
The Department of Justice states they seized over $620,000 in cash and proceeds related to other charges from the American hackers, and says that “the value of the intellectual property and other data that the defendants stole, as well as the costs associated with the victims’ responses to the conduct, is estimated to range between $100 million and $200 million.”