About the Incident
Ubisoft is one of the world’s famous video game companies that created some of the most popular games such as Assassin’s Creed, Far Cry, and Tom Clancy. On January 16, 2020, Ubisoft filed a lawsuit against five individuals that performed distributed denial-of-service (DDoS) attacks on Tom Clancy’s Rainbow Six Siege (R6S) multiplayer servers. 6 According to the court document, the five individuals allegedly managed four DDoS-for-hire services: SNG.one, r6ddos.com, r6s.support, and stressed-stresser-stressing-stressers.com and earned substantial revenue by advertising their DDoS services for fee ranging from $11 a month to $300 for lifetime access. Ubisoft believed that the five individuals who targeted R6S servers and caused harm to Ubisoft are Dennis Kurk, Maximilian Kuehl, Kelvin Uttih, a minor identified as B.R, and an individual identified as apple.id12343@gmail.com. The DDoS attacks against R6S started after Ubisoft launched Operation Ember Rise (OER) update for the game on September 11, 2019, which Ubisoft reset R6S players rankings. There were R6S players who used DDoS-for-hire services to disrupt R6S servers, cause the servers to lag and disconnect all of the players playing R6S on the targeted server. The vulnerability of R6S game is the abandon sanction is placed upon players who leave the game. According to abandon sanction, any player who leave the Ranked or Unranked match will be suspended from match making in Ranked and Unranked matches and will lose points. Points are necessary to level up players’ ranks. In one of Rainbow Six Siege tweet on Twitter, the author stated that the abandon penalties are placed by an automated system and do not distinguish whether the players leave the game purposely or accidentally. After Ubisoft reset R6S players rankings, there were some R6S players utilized DDoS-for-hire services to cheat the game system, earn undeserved points to level up the ranking fast. According to the court document, DDoS attacks caused the legitimate players to grow dissatisfied with R6S, lose interest, and stop playing. Legitimate players faced unfair situation such as losing points when they were supposed to win the match. The offenders caused harm to Ubisoft’s reputation and results in the loss of significant customer goodwill in United States and worldwide. In addition, Ubisoft had to spend tremendous amount of money to “employ new network and traffic management technologies to fight against DDoS attacks, responding to player complaints and employing personnel to police the game to detect the use of the DDoS Services, reducing matches per server and ban any offenders who are using the DDoS Services”. The offenders are aware of the harm that DDoS Services caused to Ubisoft and intentionally concealed the evidence by publishing a false seizure notice claimed that the domain, r6s.support, had been seized by “Microsoft Inc. and Ubisoft Entertainment”, to get Ubisoft admit they have problem of controlling or stopping the DDoS attacks. In addition, the offenders, SNG.one posted on Twitter repeatedly mocked Ubisoft’s security effort which affected Ubisoft’s reputation. Ubisoft believed that the offenders intentionally damaged the integrity and the availability of Ubisoft’s computer server. Since the offenders damaged Ubisoft’s reputation and business profits, Ubisoft stated in the court document that unless the offenders are permanently enjoined, the offenders will continue to attack R6S servers and cause harm to Ubisoft. After Ubisoft announced the countermeasure, on October 29th, 2019, the company reported the countermeasure has resulted in a 93% drop in the frequency of DDoS/DoS attacks.
Was this incident a Breach or a Hack?
The incident isn’t a breach because the offenders did not expose any confidential information to someone who should not have access to that data. None of the data of R6S players were exposed. The incident was a hack because the offenders are malicious outsiders who intentionally established DDoS services to encourage R6S players to cheat using their services and earn money.
When did this incident happen?
The incident happened after Ubisoft launched Operation Ember Rise update on September 11, 2019. After the game’s launched, Ubisoft noticed a sharp increase in DDoS attacks targeting R6S game. Ubisoft tried to figure out who performed DDoS attacks. Eventually, the offenders used SNG.one Twitter account posted a message taunted Ubisoft’s security effort on September 18, 2019, Ubisoft decided to file a lawsuit against the offenders and work with lawyers to prepare the lawsuit, which eventually published on January 16, 2020.
What was the main attack vector?
An attack vector is a method of gaining unauthorized access to a network or computer system.
The adversary performed Distributed Denial of Service (DDoS), a main attack vector, overloaded Ubisoft’s data center to slowdown the server, affect Ubisoft’s sales and cause legitimate R6S players to stop playing. When DDoS is performed, the targeted server will be crashed and inaccessible to players.
What were the penalties for the offenders?
On July 9th, 2021, California federal court ruled in Ubisoft’s favour. The court ordered Dennis Kurk, Benjamin Ruesink, and Roland-Daniel Soos to pay $153.092.44 which the majority cover attorney’s fees owned by Ubisoft to its representation. The court ordered the offenders to shut down the DDoS websites and any social network accounts must be closed. The offenders must transfer control of domains related to Ubisoft. They are not allowed to disrupt R6S players and have been ordered to not impaired the integrity and availability of R6S Servers and Networks.
Log in or sign up for Devpost to join the conversation.