DDoS Gang Targets Sony

Threat Diverts Sony President's Plane as Sites Disrupted
DDoS Gang Targets Sony

Sony says it has restored service to its PlayStation Network and Sony Entertainment Network sites after the gaming and media delivery services were disrupted Aug. 24 by a "large scale" distributed-denial-of-service attack. The group behind the attack also appeared to be responsible for a security scare involving a U.S. airplane on which the president of Sony was flying.

See Also: 2024 CISO Insights: Navigating the Cybersecurity Maelstrom

"We have seen no evidence of any intrusion to the network and no evidence of any unauthorized access to users' personal information," says Sony's senior manager for social media, Sid Shuman, in an Aug. 24 blog post. The same day the DDoS attack began, Sony took the targeted networks offline - including the PlayStation Network, which counts more than 110 million users - to help mitigate the attack, which aimed "to overwhelm our network with artificially high traffic," he says.

Such attacks aren't rare, with DDoS defense service Incapsula reporting that it's seen the frequency of these attacks more than double since last year, with attack severity and duration also increasing. Incapsula says one of its online gaming customers was recently targeted by a DDoS attack that lasted 38 days. Other recent DDoS attack victims have included such businesses as Feedly, Evernote and Deezer, as well as code-hosting service Code Spaces, which was hit by both DDoS and extortion attacks that resulted in the deletion of large amounts of the company's data, driving it out of business.

In the case of Sony, President John Smedley says his company's online services were targeted by a "large scale DDoS" attack. "The problem is upstream of our network; we have no control. So they are flooding the routes to us too," tweeted Smedley on Aug. 24, before the attacks were resolved. He added that Sony was taking steps to filter the attack traffic, but said mitigating the DDoS disruptions was taking time because "upstream ISPs need to filter too."

Airplane Security Scare

A group - or perhaps just an individual - calling itself "Lizard Squad" has taken credit for the DDoS attack, and it also appears to be behind a security scare that targeted Smedley. On Aug. 24, American Airlines flight 362 was diverted after a report of a security threat was posted on Twitter. "@AmericanAir We have been receiving reports that @j_smedley's plane #362 from DFW to SAN has explosives on-board, please look into this," read a tweet from the Lizard Squad account.

Smedley confirmed that he was on the diverted flight. "Yes. My plane was diverted," tweeted Smedley. "Not going to discuss more than that. Justice will find these guys."

The FBI says it's investigating the incident. "Today AA Flight 362 traveling from Dallas to San Diego was diverted to Phoenix Sky Harbor Airport," the bureau says in a statement. "The flight landed without incident. Passengers were safely removed from the plane. The investigation is still ongoing."

Who Is Lizard Squad?

Little is known about Lizard Squad, aside from its penchant for attacking online gaming sites, as well as name-checking the militant group known as the Islamic State in Iraq and Syria, or ISIS. "Today we planted the ISIS flag on @Sony's servers #ISIS #jihad," read an Aug. 24 tweet from the Lizard Squad account. "Kuffar don't get to play videogames until bombing of the ISIL stops #ISIL #PSN #ISIS," it also tweeted. "Kuffar" is a derogatory Arabic word meaning "unbeliever" or "infidel."

Of course, the references to jihad and ISIS could simply be scaremongering, if not a satiric "false flag" meant to drive breathless reporting. Indeed, Australia's News Corp wasted no time in saying that "a group of ISIS hackers" had claimed credit for the DDoS attacks against Sony.

Adding to the confusion, another Twitter user, FamedGod, claims Lizard Squad stole credit for the DDoS attacks. "Why must someone take credit of ones work? LizardSquad couldn't hurt a fly. Decrypting a memory dump and finding the server was all my work," read one tweet from the FamedGod account.

Sony: Favorite Target

Sony has previously been targeted in a number of online attacks, including more than a dozen attacks in 2011 alone. One of those attacks used DDoS to disguise data exfiltration, resulting in the theft of personal information - including some credit card numbers - for 77 million Sony customers. That breach lead the U.K. Information Commissioner's Office to slap Sony with a £250,000 (about $400,000) fine, saying in a statement that "the security measures in place were simply not good enough."

Sony isn't the only business being targeted by DDoS attacks. "Attacks like this will continue to plague big-name companies, thanks to the greater availability of resources" that can be tapped by attackers, says Marc Gaffan, chief business officer at Incapsula, in a statement. "Anyone can Google up a 'botnet for hire' and use it to execute a 20 to 40Gbps attack, from several thousands sources."

The long-running Operation Ababil attacks against U.S. financial services firms, which began in 2012 and ran through 2013, also demonstrated what security experts say has been a rise in DDoS attackers taking advantage of poor Internet hygiene. Namely, the bank attackers were able to exploit vulnerabilities present in ubiquitous PHP websites - including many versions of WordPress and Joomla - to create free launch pads for their massive DDoS attacks.

The severity of DDoS attacks has continued to increase in recent years, reports DDoS mitigation service Verisign, which says the peak size of DDoS attacks against its customers more than doubled in recent months. It recently also saw an attack against one unnamed customer in the "media and entertainment" sector peak at 300 Gbps. It says that customer segment is the one most frequently targeted by DDoS attackers.

Microsoft, Blizzard Targeted

On a related note, Lizard Squad appears to have progressed from attacking Sony to targeting Microsoft's XBox Live service, which reportedly counts about 50 million users. "Sup XBL Login, just performing tests," read a tweet posted by Lizard Squad early Aug. 25. After that tweet, some users, posting to message boards, reported being unable to access the XBox Live login page. The official XBox Live Status page also posted a "service alert" acknowledging that some Xbox One users were "experiencing server unavailability," and Microsoft said it was working to resolve the issue.

Microsoft didn't immediately respond to a request for comment about whether its XBox sites were being targeted by DDoS attacks. But XBox spokesman David Dennis told Reuters: "We don't comment on the root cause of a specific issue, but as you can see on Xbox.com/status, the core Xbox LIVE services are up and running."

Lizard Squad also appears to have targeted the online site for multiplayer World of Warcraft game maker Blizzard Entertainment, which confirmed that it was investigating service disruptions. "Hey all, we are looking into the reported issues. We'll update as soon as we know more," Blizzard tweeted Aug. 25.

Shortly thereafter, Blizzard suggested related attacks were already abating. "Services appear to be stabilizing. We'll continue to keep an eye out. Queues should stabilize as more folks log back in."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.