Griefing, swatting and other malicious hacking trends have hit new high scores of concern and frustration: time to harden event defenses!

Recently, two competitive e-sports players were hacked mid-game during the Apex Legends Global Series. This had led to the organizers postponing the tournament.

Hackers had apparently applied what is called a “wallhack” to the targeted participants, making it appear they were cheating in the competition.

The affected players promptly announced that they were being hacked and not in control of their terminals, showing proof with onscreen messages from the hacker announcing: “Apex hacking global series by Destroyer2009 & R4ndom.”

Subsequently, it was announced that “no remote code execution vulnerability” within the gaming infrastructure had been exploited for the hack. 

On 20 March, the hacker that had supposedly been involved in the incidents had publicly announced that it was “just for fun”, and refused to reveal the exact hacking method, stating that the gaming firms offer no financial compensation for players who find and report bugs and exploits.

Moral of the story?

Normally, game designers try to prevent hackers from creating software that lets them play games in ways that ruin the fun for other players. The games industry has a unique attack surface that does not necessarily apply as acutely to other industries: Player Fun.

According to Jamie Boote, Associate Principal Consultant, Synopsys Software Integrity Group, when people on the internet attempt to disrupt other people’s enjoyment (known as ‘griefing’) e-sports streaming becomes a popular target. “Examples can range from the digital to the physical. Digital griefing can be trying to join the streamer’s multiplayer gaming session and harassing the player in game or attempting to identify and hack into the streamer’s PC to disrupt their stream. More dangerous examples of criminal harassment move beyond griefing and could involve calling 911, deceiving the responders into believing that there is a dangerous situation at the streamer’s home address, and claiming that there is an armed gunman or other dangerous situation. Due to the SWAT team’s response, this practice is known as ‘swatting’ and has resulted in fatal shootings.”

Boote has recommended e-sports organizers to adopt strong measures to protect their own infrastructure: from providing hardening guidelines, to mandating that participants install software security agents similar to corporate Bring Your Own Device plans, to providing and mandating centrally controlled computers and networking equipment. “Organizers will have to assume that it’s a matter of when, not if, an event will happen like this again, and know how to prevent or minimize disruption (when) it does,” he said.