DDoS Protection , Security Operations
UK Police Detail DDoS-for-Hire Arrests
Four Teenagers Charged With Using 'Lizard Stresser' ServiceBritish police have arrested four teenagers on charges that they used "Lizard Stresser," a distributed denial-of-service tool, to disrupt multiple websites.
See Also: Protecting Financial Institutions from DDoS Attacks
The DDoS tool is marketed by Lizard Squad, a gang of hackers that has been tied to numerous attacks and disruptions, including the February hack of the Lenovo website, as well as the 2014 Christmas Day disruption of the Sony PlayStation and Microsoft Xbox Live networks.
The U.K.'s National Crime Agency announced on Aug. 28 that it arrested four males - two 18-year-olds olds, plus a a 15-year-old and 16-year-old.
"Those arrested are suspected of maliciously deploying Lizard Stresser, having bought the tool using alternative payment services such as Bitcoin in a bid to remain anonymous," the NCA says. "Organizations believed to have been targeted by the suspects include a leading national newspaper, a school, gaming companies and a number of online retailers."
Officials say that none of the arrested individuals are suspected of being members of Lizard Squad or of participating in the group's Christmas Day 2014 disruption. They also note that the DDoS service, like many other DDoS-for-hire services, offers inexpensive rates, and can have a devastating effect on targeted organizations. "By paying a comparatively small fee, tools like Lizard Stresser can cripple businesses financially and deprive people of access to important information and public services," says Tony Adams, head of investigations at the NCA's National Cyber Crime Unit.
This investigation was code-named "Operation Vivarium," referring to a container used for keeping plants or animals, such as lizards, for study.
Police say that as part of Operation Vivarium, they're visiting about 50 other individuals in the U.K. who have signed up on the Lizard Stresser site, but who do not appear to have used the service. Police say that about one-third of those individuals appear to be younger than age 20. "One of our key priorities is to engage with those on the fringes of cyber criminality, to help them understand the consequences of cybercrime and how they can channel their abilities into productive and lucrative legitimate careers," Adams says.
Ever used a #DDoS tool? If you're registered to #LizardStresser officers may be visiting you soon! pic.twitter.com/JDrbbJoIEd
— NationalCrimeAgency (@NCA_UK) August 28, 2015
"'Crime as a service' where attackers pay others for tools and services is becoming a significant factor in cybercrime. Whilst many think of denial of service attacks as being trivial, they are costing organizations great deal through the disruption they cause," says Alan Woodward, a computer science visiting professor at the University of Surrey and cybersecurity advisor to the association of European police agencies known as Europol. Accordingly, police have been focusing not just on people who commit online crimes, but those who help others to do so as well (see How Do We Catch Cybercrime Kingpins?). "You can expect to see more of this in the future, and those who might be tempted to provide such services should perhaps learn that law enforcement agencies are patient but determined to tackle those who are actively enabling cybercrime in all its forms," he says.
Follows Related Arrests
Earlier this year, U.K. police arrested two other teenagers on charges that they used the Lizard Stresser service. They also arrested a suspected member of Lizard Squad (see U.K. Police Arrest 57 Alleged Hackers).
In July, another alleged Lizard Squad member, a 17-year-old Finn named Julius Kivimaki - a.k.a. "Zeekill," "Ryan" - was found guilty of 50,700 "instances of aggravated computer break-ins," but given a two-year suspended sentence, meaning he will spend no time in jail, so long as he honors the terms of his court agreement. He must submit to two years of electronic monitoring of his online activities, has had his PC confiscated, and he has been ordered to forfeit ‚¬6,588 ($7,276) worth of property obtained through his crimes. The suspended sentence is due to Finland's child protection act specifying that anyone under the age of 18 is legally a "child," and must be tried accordingly.
Commenting on that verdict, Dublin-based information security consultant Brian Honan, who's a cybersecurity adviser to Europol, says that seeing suspended sentences frustrates many security professionals and law enforcement officials (see Young Hackers: Jail Time Appropriate?).
"We need to take into account the fact that if teenagers are able to wreak such damage against our systems, it is a sad indictment of the effectiveness of the software and tools that we use to defend our systems," Honan says. "Instead of criticizing the legal system, we should use these cases to take a cold, hard look at ourselves and how we need to place accountability and ownership on those who operate insecure platforms on the Internet ... and how we as an industry need to work together to make our systems easier to secure and more resilient to attacks."