DOJ Busts Hackers Who Targeted Microsoft Xbox

Four hackers are charged with stealing trade secrets related to Microsoft's Xbox One and software from major video game studios.

U.S. law enforcement officials have nabbed four hackers that were accused of infiltrating the networks of Microsoft; video game makers Epic Games, Valve and Zombie Studios; and even the U.S. Army, announced the U.S. Department of Justice (DOJ). The hackers, ranging in age from 18 to 28, were charged with stealing more than $100 million in intellectual property.

An 18-count indictment, unsealed Sept. 30 but delivered by a federal grand jury on April 23, charged the members of an alleged international hacking ring with theft of trade secrets and identity theft, along with conspiracies to commit computer fraud, copyright infringement, wire fraud and mail fraud, according to the DOJ.

The hackers were identified as 20-year-old Nathan Leroux, from Bowie, Md.; Sanadodeh Nesheiwat, 28, from Washington, N.J.; David Pokora, 22, from Mississauga, Ontario, Canada; and Austin Alcala, 18, from McCordsville, Ind. Australian authorities have also charged one of its citizens in connection to the case.

They were accused of stealing intellectual property related to Xbox Live, Microsoft's cloud-based multiplayer and media streaming service, along with source code and technical information pertaining to Xbox One prior to its release. (The Xbox One launched Nov. 22, 2013.)

The hackers also allegedly swiped pre-release versions of major video game titles, specifically Epic Games' Gears of War 3 and Activision's Call of Duty: Modern Warfare 3. Their spree also involved a brush with a real-world military organization.

The crew was charged with stealing simulator software used by the U.S. Army and developed by Seattle, Wash.-based Zombie Studios. "As the indictment charges, the members of this international hacking ring stole trade secret data used in high-tech American products, ranging from software that trains U.S. soldiers to fly Apache helicopters to Xbox games that entertain millions around the world," said Assistant Attorney General Caldwell in prepared remarks.

An FBI-led investigation revealed that the "defendants and others allegedly obtained access to the victims' computer networks through methods including SQL injection and the use of stolen usernames and passwords of company employees and their software development partners," according to the DOJ.

SQL injection remains a thorn in the side of database security experts, despite years spent of battling the threat. In April, a study from security research firm Ponemon Institute and DB Network, a database security analyst, discovered that a majority of organizations (65 percent) had been hit by SQL injection attacks in the preceding 12 months.

In addition to accessing IP and trade secrets, they are accused of digging into other parts of the affected companies. "Members of the conspiracy also allegedly stole financial and other sensitive information relating to the companies—but not their customers—and certain employees of such companies," said the DOJ in a statement.

Pokora and Nesheiwat pled guilty to the charges of copyright infringement and conspiracy to commit computer fraud. Sentencing is scheduled for Jan. 13, 2015. "Pokora's plea is believed to be the first conviction of a foreign-based individual for hacking into U.S. businesses to steal trade secret information," said the DOJ.

Pedro Hernandez

Pedro Hernandez

Pedro Hernandez is a contributor to eWEEK and the IT Business Edge Network, the network for technology professionals. Previously, he served as a managing editor for the network of...