clock menu more-arrow no yes mobile

Filed under:

How Lizard Squad brought down both Sony and Microsoft, and how to help stop them

Charlie Hall is Polygon’s tabletop editor. In 10-plus years as a journalist & photographer, he has covered simulation, strategy, and spacefaring games, as well as public policy.

The secret sauce in Lizard Squad's malicious attack on Xbox Live and PlayStation Network over the Christmas holiday was accomplished using a network of hacked consumer-grade routers, reports

Calling the anonymous members of Lizard Squad a "group of young hoodlums," Krebs reports that their directed denial of service (DDoS) attacks were orchestrated by using an as yet undiscovered network of zombified computers, recruited from "thousands of hacked home internet routers."

How do they know for sure? Because Krebs was the victim of an attack by Lizard Squad earlier this month.

"In the first few days of 2015, KrebsOnSecurity was taken offline by a series of large and sustained denial-of-service attacks apparently orchestrated by the Lizard Squad. As I noted in a previous story, the booter service — lizardstresser[dot]su — is hosted at an internet provider in Bosnia that is home to a large number of malicious and hostile sites."

Krebs said that it used the Bosnian host's IP addresses to track down the home of Lizard Squad's botnet controller. Additionally, they found evidence to link that controller to a known, yet "rather crude," piece of malware that first appeared on the scene in early 2014. It takes control of home internet routers, and then scans the network for additional devices to zombify.

"In addition to turning the infected host into attack zombies, the malicious code uses the infected system to scan the Internet for additional devices that also allow access via factory default credentials, such as "admin/admin," or "root/12345". In this way, each infected host is constantly trying to spread the infection to new home routers and other devices accepting incoming connections (via telnet) with default credentials."

The botnet isn't all routers, though, but Krebs said that the massive number of them involved merely lends credence to their theory on how it propogated.

Krebs also said that the attacks on Sony and Microsoft weren't merely a prank. They were an attempt to advertise their botnet, which they intend to sell access to through an online portal. In such a way, anyone can DDoS any IP on the internet for a fee.

The Krebs article has good tips for home network security, and says that by locking down your home router you can help reduce the incidence of these types of botnets. If for no other reason than that, their article is worth a read.

Both the United Kingdom and Finland have made arrests in the holiday attack. Polygon will have more information as those investigations unfold.