October 5, 2015
In late August, six British teenagers were arrested for targeting various organizations with Lizard Stresser, a distributed-denial-of-service-for-hire (DDoS-for-hire) mechanism created by the hacker group Lizard Squad. The UK’s National Crime Agency (NCA) said that the teens, who were out of jail and awaiting trial (as of August 28), went after a large newspaper, a school, several e-commerce companies, and online game firms.
In an effort to elude the authorities, the kids paid for their use of Lizard Stresser with Bitcoin and other cryptocurrencies, but they were unsuccessful in concealing their identities.
Lizard Squad became widely known in 2014 for successfully pushing PlayStation Network and Xbox Live off-line on Christmas Eve and Christmas Day. The downing of the huge gaming sites seemed to partially be an effort to draw attention to Lizard Stresser, which gives anyone access to a botnet of zombie devices with which to pummel whatever site they choose.
Brian Krebs, a security consultant, notes that the Stresser botnet is made up of hacked routers belonging to companies and colleges. Several members of Lizard Squad have already been arrested – including 17-year-old Julius “zeekill” Kivimaki of Finland, who received a two-year suspended prison sentence.
Beyond going after Squad members themselves, the UK police are additionally targeting people who have paid for the Lizard Squad service.
“One of our key priorities is to engage with those on the fringes of cyber criminality,” explains cybercrime head investigator Tony Adams of the NCA. The goal, said http://www.engadget.com/2015/08/28/lizard-stresser-ddos-arrests/ Adams, is “to help them understand the consequences of cyber crime and how they can channel their abilities into productive and lucrative legitimate careers.”
The police are in the process of going to the homes of four dozen people who have purchased Lizard Stresser. The hope is that these high-profile arrests will serve as a deterrent for possible attackers.
Lizard Squad clearly did not care for the NCA’s efforts, responding with a DDoS attack that temporarily made the website of the National Crime Agency unavailable. As soon as the NCA website was off-line, the hacker group tweeted that it was behind the attack. Soon thereafter, the NCA announced that it was in fact being hit with a distributed-denial-of-service assault.
The retaliatory attack “sends out a strong message,” says http://www.engadget.com/2015/09/01/lizard-squad-national-crime-agency-ddos/ Nick Summers of Engadget. “[T]he hacker group is still operational, and until its members are rounded up there’s always a chance it’ll strike again.”
A Brazilian teenager jumped into the mix, launching a DDoS on two police forces’ websites, the Greater Manchester Police and Essex Police (September 2 and 3). The attacks each lasted about 30 minutes.
Following the second attack, the Essex Police said that they were trying to determine the identity of the attacker. “Officers investigating the suspected denial of service attack on the Essex Police website … are liaising with other law enforcement agencies to identify any investigative leads,” the office announced http://www.theregister.co.uk/2015/09/04/essex_police_ddos/.
Twitter user @n0w1337 told the UK’s The Register that they had launched the attack. The profile for the account locates the user in Lithuania, and its English was a bit garbled, according to the newspaper.
Although the Twitter user primarily goes after UK sites, it primarily follows Brazilian accounts. Since that’s the case, The Register asked if the user was Brazilian or Lithuanian, and the user claimed to be from Brazil.
The attacker said that they were 19 years old and that they were in between high school and college, giving the impression that they were launching these attacks partially out of boredom.
Furthermore, the supposed Brazilian teen said that they were not concerned that they might get arrested. “But who’s going to get me?” they said. “I think that there is nothing wrong someone makes things worse type that handles all the media and banks and the government stealing.”
The 19-year-old attacker said that they were not the bad guy, which echoes a sentiment from Lizard Squad that they are performing a social good – publicizing poor security of organizations to consumers by bringing down these sites.
Clearly anyone whose site is brought down would not see it that way. Plus, the United Kingdom’s Police and Justice Act of 2006 makes it clear that distributed-denial-of-service attacks are illegal, with convictions resulting in as much as 10 years in prison.
Distributed denial of service is of course not limited to the gaming industry and law enforcement. Enterprises of all sizes across all industries are vulnerable. At Nexusguard, with our service (featuring Flash Crowd Support and Adaptive Learning), we can help you maintain 100% availability during a DDoS attack. Get comprehensive protection today. https://www.nexusguard.com/services/ddos-protection.php
