Lizard Squad: Original Pranksters

Written by

Whether meddling kids or a serious menace, Lizard Squad is part of a phenomenon that is here to stay, concludes Fahmida Rashid

Last year, over Christmas, millions of gaming fans were outraged when distributed denial of service (DDoS) attacks took down Xbox Live and Sony’s PlayStation Network. A group going by the name Lizard Squad claimed responsibility. This was the same group behind the server outages for popular online games League of Legends and Runescape in August.

In 2015 alone, Lizard Squad has already claimed responsibility for hijacking the websites of Malaysia Airlines, Lenovo, and Google Vietnam.

The group’s sole motivation for these attacks – based on its Twitter activity – appears quite simple: because they can. The group considered the Christmas attacks against Xbox Live and PlayStation Networks to be a “sort of a game” carried out for its own amusement, a self-proclaimed Lizard Squad member said in an interview with the UK’s Sky News.

Lizard Squad is becoming a household name because it is prolific, but also because its activities are so visible, says Andrew Hay, director of security research at OpenDNS. The group has relied mainly on DDoS attacks to cause server outages at heavily-trafficked sites. It hasn’t defaced actual company websites, but rather redirected users to spoofed websites to make it seem like the pages are compromised.

“I hesitate to call Lizard Squad hacktivists,” Hay says, noting that hacktivists generally have a call-to-action, a reason for engaging in the attacks. ‘Pranksters’ is a better description, he suggests.

Cyber-attackers are generally categorized by their motivations. Nation-state attackers further the government’s goals, whether that extends to espionage, sabotage, or theft. Cyber-criminals are financially motivated and typically focus on stealing money or valuable assets. Hacktivists are ideologically motivated, and their activities are typically designed to draw attention to something they care about, such as promoting free speech or protesting child pornography. Lizard Squad doesn’t quite fit into any of these brackets.

For the Lulz

Lizard Squad’s activities may evoke memories of LulzSec, an earlier hacking group which took on some high-profile organizations and websites in 2011. Even though LulzSec picked its targets based on ‘lulz’, or laughs, it clearly had hacktivist roots.

LulzSec was originally a disillusioned offshoot of the hacker collective Anonymous intent on exposing “just how bad things were” with security at some of the world’s largest brands, Hay explains. Lizard Squad, in comparison, is “doing what it can for fun.”

Dismissing Lizard Squad just because it doesn’t have an ideology or employ sophisticated attack methods would be a bad idea, says David Francis, a cybersecurity officer at Huawei UK. He adds that it doesn’t matter that the group isn’t using sophisticated tactics to disrupt operations and interfere with user experience, because the fact remains that Lizard Squad did succeed in its goals, and there was an impact on reputation and revenue.

“Whether you class Lizard Squad as pranksters or not is irrelevant; the bottom line is that all organizations, large or small, are subject to attacks,” Francis argues.

Tools of the Trade

Organizations operating online should be concerned about the methods the group uses, says Steve Armstrong, a certified instructor at the SANS Institute. Lizard Squad launches its DDoS attacks using a botnet of compromised routers belonging to home users. Lizard Squad also put Lizard Stresser, a DDoS tool which uses the botnet to launch its own attacks, for sale on its website.

LizardStresser is an IRC Linux bot which attempts to connect to random IP addresses on the internet with default usernames and passwords. Users who may not have changed the default credentials on their routers may find their network devices hijacked into the botnet taking part in these attacks.

The source code was eventually leaked on GitHub, and some security experts who analyzed the code said it was unoriginal and impressive. It didn’t have to be sophisticated – Lizard Squad was able to successfully launch its own attacks, and so were other people who bought the tool. Home routers are notoriously insecure since device manufacturers may take a while to roll out security updates, and users may not know how to install the firmware, which means LizardStresser will continue to be effective.

A recent analysis by Recorded Future, a web intelligence and predictive analysis company, identified a Windows-based bot client linked to Lizard Squad which has not yet been used.

“It remains unclear what will come of this botnet, but it’s related to Lizard Squad and is more capable than LizardStresser,” the company said.

Organizations have to understand that DDoS attacks are serious because they impact service availability and inconvenience end-users. If the gamers can’t get to the servers to play, they can get annoyed and move on to other games, Hay says.

While many organizations may work with upstream providers to fight back and try to outlast the attack duration, there is the possibility that organizations may just pay a ransom to make the attackers go away.

This can be risky, because the money “could just encourage more attacks,” Hay adds.

Attacks against Xbox Live and PlayStation Networks were a “sort of a game” said a self-proclaimed Lizard Squad member
Attacks against Xbox Live and PlayStation Networks were a “sort of a game” said a self-proclaimed Lizard Squad member

Cyber Vandalism

During the DDoS attacks against Xbox Live and PlayStation Network in December, Kim Dotcom offered 3000 free vouchers for Mega, his encrypted cloud storage service, to Lizard Squad to cease its activities. While the vouchers did stop the attacks, Hay was concerned about the message this payoff gave to Lizard Squad and other hacker groups.

The vouchers were priced at $99, and there were reports Lizard Squad sold them for $50 each, netting the group at least $150,000 in cash. Considering that DDoS attacks have been growing in volume and intensity over the past few years, a potential financial windfall may encourage more groups to launch attacks.

Vandalism and gaming remain the most popular reasons for DDoS attacks, but attacks acting as a smokescreen for data theft and extortion attempts are also on the rise, says Darren Anstee, director of solutions architects at Arbor Networks. These attacks are disruptive, can cause damage to brand reputation, and increase overall costs for the organization. “DDoS attacks cannot be considered pranks,” says Anstee.

DDoS attacks aren’t the only tricks up Lizard Squad’s sleeve. Earlier this year, the group claimed responsibility for a series of website defacements, including the one for Malaysia Airlines. It didn’t compromise the airline’s site, but likely socially engineered the site’s domain registrar to gain access to the airline’s domain name system records. 

Lizard Squad claimed responsibility for a series of website defacements, including the one against Malaysia Airlines
Lizard Squad claimed responsibility for a series of website defacements, including the one against Malaysia Airlines

Lizard Squad modified the records to point to a website under its control, but average users wouldn’t realize they were on the wrong site. This is a tactic frequently used by other hacking groups, such as the Syrian Electronic Army.

Hijacking DNS records can result in considerable damage to the corporate brand because most users and customers will not realize the distinction and assume the company’s servers have been compromised, Hay explains. And if the attackers modify the MX records for the mail server along with the DNS records, then the attackers have access to all the email messages being sent to the company. That has even more serious repercussions to the company’s bottom line.

Organizations need to work with their domain registrars to put in mechanisms to protect themselves, such as two-factor authentication and domain locking to prevent unauthorized changes to DNS records, Hay says. Organizations should pick registrars which have implemented DNS security extensions (DNSSEC) which users can use to verify the site hasn’t been hijacked.

Childish Antics

Whether or not Lizard Squad is just a group of kids with a questionable sense of humor doesn’t matter, because it is not the only hacking group engaged in these activities.

CoreSec is another hacking group engaged in similar activities. The group launched a series of DDoS attacks against Finnish financial services group OP-Pohjola from New Year’s Eve to 4 January. The group demanded ransom between 10 and 100 bitcoins to stop the DDoS attack. At least one member in the group is a Finn, said Mikko Hypponen, chief research officer of F-Secure. CoreSec’s motives for the attack remain murky, but Twitter activity shows CoreSec and LizardSquad consider each other supporters, if not allies, in their cyber-pranking.

Whether you class Lizard Squad as pranksters or not is irrelevant; the bottom line is that all organizations, large or small, are subject to attacksDavid Francis, cybersecurity officer, Huawei UK

The earlier LulzSec is now defunct, with two of its leaders convicted. DerpTrolling has been active more recently, launching a string of DDoS attacks on multiple gaming companies and online gaming servers in early 2014. DerpTrolling was likely just trying to boost its collective ego and its “antics were often childish,” security company CrowdStrike noted in its latest Global Threat Report.

“Despite their immaturity, the collective was able to consistently carry out DDoS attacks on targets of their choosing, and these attacks had a real-world effect on the victims within the gaming community,” wrote CrowdStrike.

The company also noted that Lizard Squad’s antics had real-world consequences beyond the cyber-realm. The group successfully diverted an American Airlines flight carrying a Sony executive by posting on Twitter a rumor about explosives on board. The incident evokes memories of when the Syrian Electronic Army hijacked a media outlet’s Twitter account to post a false report about an explosion at the White House in 2013.

“The threat [Lizard Squad] posed to gaming companies was still noteworthy, especially when combined with terrorist threats; although they were bluster, they still had considerable real-world consequences,” CrowdStrike reported.

Analysis from Recorded Future attempted to identify members of the group by their interests, vernacular, and lifestyle to provide insight into how they operate. The company examined the group’s social media activity for patterns in language and determined the leaders and key members are from the United Kingdom, Canada, or the United States.

Even though Lizard Squad is still seizing headlines, the group’s activity has slowed since December, says Christopher Ahlberg, Recorded Future’s CEO and co-founder. This may have been spurred by Finest Squad, another group which came to light in December and started reporting Lizard Squad accounts to Twitter for abuse, he says.

Lizard Squad’s leaders and key members are most interested in guns, drugs, gaming, and hacking. The intersection of thug-life culture and pro-Nazi sentiments is perplexing, but the fact that one of the accounts associated with the group’s leaders frequently expressed pro-Nazi sentiments may be an indicator of the direction Lizard Squad will be heading in, the company warned.

Instead of dismissing the group, it would “be prudent” to take Lizard Squad’s warnings seriously in 2015, Ahlberg said.

This feature was originally published in the Q2 2015 issue of Infosecurity – available free in print and digital formats to registered users

What’s hot on Infosecurity Magazine?