You've probably heard that CD Projekt RED recently fell victim of a ransomware attack. The story has since become source of many unconfirmed rumors, surmises, and speculations. We will focus on facts and answer the question – what files were stolen and how can bootleg REDengine be used?
In early February, news broke that someone (a skilled netrunner, presumably) had hacked CD Projekt RED's servers and extracted a large amount of data. This information was soon confirmed by studio representatives. Around the same time, the source code for Gwent: The Witcher Card Game surfaced online. But this was only the tip of the iceberg of stolen data. The cybercriminals also obtained various versions of The Witcher 3, Thronebreaker: The Witcher Tales and, perhaps most alarmingly, Cyberpunk 2077. Why where these files and source codes stolen? The answer is simple: to be illegally sold on dark web. And that's what the hackers supposedly did, by the way. The more interesting question is why would anyone want to pay through the nose for code that can't be legally used in a product. Assuming, of course, that it wasn't CDPR itself that quietly bought the fruits of years of their own hard work. This is quite unlikely, though. A publicly traded equity group would have a rather hard time swiping a $7 million deal under the rug.
What are they video game source files ?
Let's first get the question of what the stolen files actually are. A useful metaphor to make it easily understandable is cooking. Imagine eating an exceptionally good dish, but not being able to identify a single ingredient from which it was made. Most customers don't care that much, as long as it smells, looks, and tastes good. Taking a dish apart is only crucial for a chef, especially one with actual passion. By learning a detailed recipe, a chef could not only recreate the dish, but also modify it, presumably achieving even more satisfying outcome. It's basically the same here. We love all our creature comforts from smoked ribs, to smart TVs, to fridges and autonomous mowers, but most of the time, we couldn't care less about what the production process involves and what kind of know-how it requires, what consequences it has for its immediate environment, etc. This sort of specialized knowledge is only of use (other than a random piece of trivia you can boast during small talk) to engineers, developers, advanced users, and business people.
How to reach the source? Back to the meal metaphor: a talented chef may try to discern all the individual ingredients, which itself can be tricky with complicated pieces of culinary art. On top of that, they'd also have to recognize the techniques used to process those ingredients. Now, people who are able to do it are called gourmets, and that's no silly matter. Recognizing the foundations and inner mechanisms of a video game can be equally challenging. It is possible, however, and people often resort to reverse engineering. Reverse engineering is sort of a comprehensive analysis of the structure of a thing; it's easier to think about it simply as "taking things apart to see how they're made." How can such knowledge be used, then? Well to build your own version of said thing. Of course, if you're not a gourment, it may be more feasible to break into the restaurant's safebox and steal the entire recipe. And that's what happened here.
What's a game engine?
The game engine (not to be confused with a graphics engine) governs all the elements contained and interacting in a video game. It often contains various original modules, and employs engines such as graphics or physics engines created by third-parties. Developing this type of technology from scratch requires a huge budget, a seizable team, lots of time, and is generally no joke. Some studios may thus prefer to obtain engines from third-party developers and focus on creating a car, rather than the wheels. The first Witcher was developed in Aurora Engine, originally created by BioWare. It previously powered Neverwinter Nights, among others. Of course, CDPR accordingly modified Aurora, for example introducing a day-and-night cycle. Despite the fact that both games share the very foundations, it's unlikely that anyone would associate these two without prior knowledge of that very fact. The Witcher 2 is already using the proprietary REDengine. Its subsequent versions powered The Witcher 3 and Cyberpunk 2077.
The evolution of REDengine
From the very onset of developing their own engine, CD Projekt RED had a clear goal. They wanted an engine suitable for non-linear games with an extensive storyline and set in an open world. And they pursued that goal relentlessly. The tech went through numerous iterations since The Witcher 2, but the main idea never changed. The engine supported every console from Xbox 360, Xbox One, Xbox Series X/S, PlayStation 4, PlayStation 5, to OS X, Switch, and Linux. In the meantime, CDPR switched from Havoc to PhysX as physical engine, animations were improved, rendering was streamlined, volumetric effects were introduced, and technologies from Nvidia including Hairworks, raytracing, and DLSS 2.0 were made compatible. In short, REDengine is a complete engine with built-in modules for graphics, AI, cutscenes, etc – a full set, ready to kill.
Cybersecurity – what failed?
How the hackers actually broke into Red's servers and what security measures the studio used will probably forever remain a mystery. However, one isn't really inclined to believe that the precautions and safety measures taken by CDPR were anything but strong. Cyber security experts often say that humans as the weakest link in data protection. The most likely scenario seems that it was one of the employees that unknowingly opened a gateway for the hackers. The only thing you have to do is smuggle a piece of ransomware into the company (with phishing or any other technique), and have someone launch the executable file. The maleware may also have been transferred on a flash drive infected in an employee's home after hacker broke into their PC. If you're feeling like conspiracy theories, you can also assume that there's a rat in the company.
How can you use a stolen game engine?
What can you do with a stolen game engine? The answer is not as simple as you might think. Firstly, it depends on who buys it. We can probably dismiss any claims that the buyer was simply an enthusiast/collector. It would be more plausible that Marcin Iwinski, CD Projekt's CEO, bought the source code together with the documents. He'd certainly be able to afford it. By doing so, the co-founder would shield his company from potentially crippling damage. According to messages circulating online, the buyer made an agreement with the hackers that they would never share the data with anyone else. Trusting criminals, however, is somewhat of an oxymoron, with the emphasis on the last two syllables. Either way, this scenario could be considered a moderately happy ending. For the sake of equilibrium, it is also worth presenting another, less optimistic version.
Possibly the most likely buyer was a person linked to a third-party game-dev studio that has no respect for the Digital Millennium Copyright Act. One of the safest bets I can think of is that the buyer was a relatively obscure (from Western perspective), Chinese studio. China has been notorious for creating cheap knockoffs of anything from beer, to designer clothes, to entire cars. Who knows, maybe someone there figured out they would totally love to release an urban RPG with vertical locations, or a dark-fantasy game about a monster hunter? It seems even more convenient to remake Gwent. Plagiarism is not a new phenomenon in video games. Among the most notorious examples is Limbo of the Lost. A game created on basis of The Witcher 3, Cyberpunk 2077 or Gwent doesn't necessarily have to be so flagrant and obvious.
All the studio's know-how and solutions were stolen. Every new thing that was laboriously created over weeks, months, or even years, complete with instructions and edits to achieve the intended results, ended up in the hands of the dark side of the force. This will allow them to understand how all the different elements of Reds' games work. Implementing these solutions and ideas in other games seems conceivable. Only realizing all of this can let you properly assess the extent of the theft. Of course, CDPR themselves haven't literally "lost" anything. The studio obviously has backups of all the critical info and can restore all files. However, that doesn't change the fact that someone else can benefit from their work and make fat money off of it. Which brings me to another point.
We are anticipating, with varying degree of excitement, for Cyberpunk 2077 to dig out of the mire of problems.
Among the most significant steps to achieve that will be the launch of the online mode for Cyberpunk 2077. The studio assured that the files related to the online module did not end up in the hands of cyber criminals. Which doesn't mean that the source code for the single-player version didn't include elements of the online game. In fact, the entire framework for an on-line module was established by the game we got in December – driving, shooting, hacking – all the gameplay jazz. It's hard to judge what sort of changes the developers intend on introducing in the multiplayer, regarding weapons, for instance. The source files of the single-player mode could be used for creating nearly-undetectable cheats. These will bring financial rewards to their creators, and will hurt ordinary players. However, only CD Projekt RED knows about such details. All the fuss about the hacking attack may affect the release date of the online mode for Cyberpunk 2077, as well as the much-anticipated patches for the game.
Another possible scenario is that the stolen data is leaked online for everyone to access on publicly available services. And this single scenario could actually benefit players. A precedent for this assessment is the example of GTA 3 and GTA: Vice City. Advanced users and modders not only managed to significantly improve the overall quality of the productions in various fields, but also managed to adapt the game to run on different platforms. Nintendo Switch, for instance. Whether Rockstar is going to actively combat it or try to push it to the twilight zone is a matter of debate. Things are a little different when it comes to fixing/modifying Cyberpunk 2077. Theft isn't reverse-engineering, though. Any patches or mods that would be based on stolen files would polarize many players. There would certainly also be voices expressing extreme criticism. Which would not be surprising.
It seems that if the source code were made public, CDPR's losses would be even greater. The studio's technology, based on interesting ideas, unusual solutions and often creative tricks, would be available to everyone. Competition included. Whether the studio would be able to get back on the ball without much stagger is another debatable question. This could have a disastrous effect on the pace of works on future updates to Cyberpunk 2077. Players are expressing their dissatisfaction with the progress, or lack thereof, in patching the game. That may not change for weeks to come. After all, the studio needs to clean up after the attack. This means restoring files backup, assessing damage, trying to plug any wholes that prevented the attack.
rassi | Gamepressure.com