Xbox Underground: How Gamers Used Xbox to Hack into Microsoft, the US Army and More

Read about how a few teenage hackers taught us valuable lessons in what happens when companies fail to detect system vulnerabilities, secure remote access credentials, and even fail to lock their own doors. 

What did they do?

Between 2011 and 2014, an international hacker group known as Xbox Underground used video gaming systems to break into the computer networks of Microsoft and the US Army, as well as the video game developers Epic Games Inc., Valve Corporation, and Zombie Studios. What began as a bunch of teenagers playing endless hours of Xbox resulted in their discovery of security vulnerabilities in the gaming software. Eventually, these gamers-turned-hackers gained access to proprietary information, trade secrets, private log-in credentials, and even US military software.

How did they do it?

So how did Xbox Underground learn to use video game consoles to steal approximately USD 200 million worth of proprietary data? The short answer is by learning how to exploit security vulnerabilities within the systems, gaining access into the victims’ internal networks, and stealing the information. However, the long answer to this question is much more satisfying, and it can be summarized in 4 simple steps:

1. Xbox Underground began by using SQL injection, which is a method used by attackers to insert code into the SQL programming language in order to affect the output of certain commands. Using SQL injection allowed Xbox Underground to interfere with the video gaming software’s normal data output, and thus, they gained access to pertinent information such as employee usernames and passwords.

2. The hackers then used the stolen log-in credentials to access the victims’ computer networks and found the digital jackpot. They discovered Microsoft’s source code, pre-release copies of popular video games “Call of Duty: Modern Warfare 3” and “Gears of War 3,” and internal software designs for Microsoft’s then-unreleased Xbox One system. Xbox Underground also were amazed to find themselves connect to a US Army server, from which they stole the AH-64D Apache Simulator software, which was used to train military helicopter pilots.

3. In September 2013, two of Xbox Underground’s members, Austin Alcala and David Pokora, executed a physical theft of Microsoft’s office in Redmond, Washington. Using stolen access credentials to enter the building, the two hackers walked around the office without being detected and took 3 non-public Xbox Development Kits (XDKs), the software development kits used for the Xbox One systems.

4. After the theft at Microsoft’s office, Alcala, Pokora, and fellow Xbox Underground member Nathan Leroux used the XDKs to build counterfeit Xbox gaming consoles. One of these consoles sold on eBay for $5,000 .

The Aftermath

In 2014, the US Department of Justice (DOJ) filed an indictment against Leroux (20), Pokora (22), Alcala (18), and Sanadodeh Nesheiwat (28) and charged them with 18 felony counts, including conspiracy, fraud, and computer hacking. Pokora, as a Canadian citizen, is reportedly the first foreign hacker to be convicted on US soil. Ultimately, these 4 individuals pled guilty to stealing more than USD 100 million in intellectual property and other sensitive data used in Xbox gaming systems, video games, and military software. 

Additionally, Australian citizen Dylan Wheeler was also a key member of Xbox Underground who reportedly gave confidential Microsoft documentation and information about the group’s hacking activities to the gaming blog site Kotaku. However, before Dylan Wheeler could be arrested by Australian law enforcement, he fled the country to Czechoslovakia.

Lessons Learned

The story of Xbox Underground is more than just a thrilling tale about computer hacking, data theft, and international fugitives. The exploits of this group also serve as a strong reminder of the importance of both physical and digital security. On the digital side, Microsoft should have implemented more consistent penetration testing, more vulnerability scans, and more system audits. However, the reality of cybersecurity is that there is no method for ensuring 100% unshakeable protection.

What is more troubling is that members of Xbox Underground were able to penetrate the physical security barriers of Microsoft’s offices. On the physical side, Microsoft completely and utterly failed to enforce physical security protection of its own offices and employees. And this reality was much easier to prevent compared to the digital hack job. For a company as large and resourceful as Microsoft, the execution of biometric scanning, self-locking doors, and closed-circuit TV (CCTV) camera monitoring should be habitual. Let Microsoft’s mistakes caution us all to remember that the physical aspect of security is just as crucial as the virtual aspect.

Want to learn more about Xbox Underground? Check out the DarkNet Diaries two-part podcast about this hacking group, featuring interviews with the hackers themselves!