Lizard Squad. That's the hacker group whose name is suddenly on everyone's lips after it took credit for ruining Christmas for PlayStation and Xbox gamers everywhere.
But in an unusual interview Friday, a self-proclaimed member of the "cyberterrorist" group said Lizard Squad also played a role in the massive attack against Sony Pictures Entertainment. A person identifying himself as a Lizard Squad administrator said the group provided a number of Sony employee logins to Guardians of Peace, the organization that allegedly broke into Sony's network and prompted the film studio to initially withdraw "The Interview" from theaters.
If true, it would be the first open acknowledgement by a Lizard Squad member that the group was involved in the Sony attack. The administrator also conceded that the group went too far in August, when it tweeted a bomb threat to American Airlines, prompting the midflight diversion of a jet carrying Sony executive John Smedley by F-16 fighters. He also shed more light on the group's membership, saying most are based in the European Union and eastern Europe and therefore aren't too worried about FBI investigations into Lizard Squad.
To help show he was a controlling member of the Lizard Squad, the individual published a confirmation tweet from a Twitter account closely associated with the group, @LizardMafia (a message that I saw but unfortunately didn't screen-capture before it got deleted). The administrator gave his name as "a Ryan Cleary," but further questioning revealed he was not the same Ryan Cleary who was convicted of hacking into the CIA and other agencies as part of the hacking group LulzSec. While we may never be able to prove for certain that @LizardMafia and its affiliated Web site actually speak for the real Lizard Squad — or that Lizard Squad is in fact behind the attacks against Sony and Microsoft — I was at least able to determine that "Ryan Cleary" commands a substantial following of people who believe he represents Lizard Squad. (Update: Security researcher Brian Krebs reports he's identified who "Ryan" may be.)
What follows is an edited transcript of our conversation, which was conducted in a private online chatroom.
Brian Fung: So, I guess one of the first questions everyone will want an answer to is… how can we be sure you're Lizard Squad?
Ryan Cleary: Uh, it says this [chatroom] on the Twitter account. [At this point, Cleary turns to another administrator in the chatroom and asks him to add a "confirmation file" to the Lizard Squad Web site.] Also, I e-mailed you to come here.
But let's just say I was some random person who doesn't know a thing about Lizard Squad — wouldn't I assume that somebody unconnected to Lizard Squad could have just made up your e-mail address? Or made up the Twitter account but separately from the folks who are actually running Lizard Squad?
Well, you could verify the e-mail based on the Twitter account. [Cleary turns to the other administrator and again asks for a file to be added to the Web site for verification.] There should be a verification tweet for you on @lizardmafia: https://twitter.com/LizardMafia/status/548564027522445313
All right, thanks.
Okay. Verified enough?
I think so. So the big question surrounding this latest PlayStation Network/Xbox Live incident is, why, and why now? What do you hope to accomplish with it?
Well, one of our biggest goals is to have fun, of course. But we're also exposing massive security issues with these companies people are trusting their personal information with. The customers of these companies should be rather worried.
In this case it seems less like a leak of personal information than an attack that simply makes the services crash. What does overloading a system have to do with security flaws?
Quite a bit. It tells you how much money they've put into securing their systems. Not having people take down your business critical systems like this should be one of your top security priorities. Which it clearly isn't.
So if I understand correctly, you're saying Sony and Microsoft's systems should be able to scale to handle all this incoming traffic.
Absolutely. We told them almost a month before that we'd do this. And yet we had no difficulties dropping them.
How much data are, or were, you throwing at them per second?
About 1.2 [terabits per second].
Are you guys gamers yourselves?
Not really, no. Unless this counts as a game. I guess this is kind of a game for us.
Tell me more.
Well, it's often sort of like a game of chess. Your opponent does something to prevent your attack, and you alter your attack to get around your opponents' defenses.
What do you think Sony and Microsoft's countermove will be?
Good question. So far only Sony has actually tried to defend against us. They made a deal with a large DDoS protection company, Prolexic, after apparently deciding they stood no chance against us in-house.
Microsoft put up no resistance?
None we could detect. And if we can't tell they're trying to stop us, does it even matter?
You guys said you'd hold your fire after you struck a deal with Kim Dotcom. Has he followed through on that deal? Has he produced the vouchers he offered?
Yes, he has.
This could give the impression that you can — if you'll forgive the term — be bought off. Is that concerning?
Care to elaborate?
[A long pause ensues, about 10 minutes.]
Okay so we're not too worried that someone might think we can be "bought off." Being bought off is still a win for us and a loss to someone else. We're not an activist group.
What kind of group are you, would you say? If you had to describe yourself?
Well, we've been humorously describing ourselves as a cyberterrorist group. I mean, referring to us as a hacker/hacking group would probably be the simplest choice.
Some reports suggest you've got links to Guardians of Peace, and possibly to the Islamic State. Can you talk about that for a minute?
[Another long pause, about five minutes.]
Well, we do know some people from the gop. We do not have any links to the IS.
But you didn't work with Guardians of Peace to breach Sony's network and gain access to the e-mails, etc.? In other words, you know some people but weren't involved in the Sony hack surrounding 'The Interview'?
[A seven-minute pause.]
Well, we didn't play a large part in that.
What part did you play?
We handed over some Sony employee logins to them. For the initial hack.
Like, a lot of them? And how did you come by them yourselves?
We came by them ourselves. It was a couple.
[Another pause that's punctuated by several connection errors.]
Let's switch gears — tell me about this Tor zero-day. What's the deal with that? Why are you attacking Tor?
Okay. First of all there's no actual zero day. We're just running an extremely large amount of Tor nodes. I don't believe anyone has done this at such a scale before. I believe we currently control almost 50% of overall Tor network and over 70% of exit nodes.
And what's the goal of this operation?
To make everyone understand how easy this flaw in Tor is to exploit. Right now, if we wanted to — well, not right now but in a few hours — we could redirect most of outgoing Tor traffic to lizardsquad.ru. All the traffic going through the exits which we control, which is 70% of total exits.
So instead of winding up at the site people wanted, they would wind up at a site of your choosing?
Yep. [Since this interview was conducted, developers at the Tor Project have said they were removing Lizard Squad's nodes from the network.]
What else can you tell me about the Tor relay situation?
People involved with the Tor project seem to be largely disregarding the issue as something easy to block. But yes, it is easy to block because we made it easy to block. But if we wanted to, we could do this same attacks from hacked boxes with different IPs [computers with different IP addresses] and use completely randomized info for each node, and add the nodes to the network over the period of a month or so. There'd be no practical way of identifying our nodes.
Making it harder to tell who was conducting the attack, and how to stop it.
The only thing that would be possible would be to know that there is an attack going on, because there'd be an unexpectedly large amount of new nodes entering the network but there'd be no way to identify which of those new nodes are malicious and which aren't so it'd be near impossible to blacklist them.
Earlier on the Tor message board, someone said that Lizard Squad had had an "opsec facepalm" [a breach in operational security that could allow law enforcement to track Lizard Squad members]. Can you respond to that briefly?
That guy is somewhat dumb. I've been talking with him [in the Tor chatroom]. [In the attack,] we set our contact info on our Tor nodes to devin.bharath.AT.lizardmafia. He believes devin.bharath is the name of an actual lizardsquad member, which it isn't. We just decided to use it because someone [tried to out] us as him.
What about the rest of it — his assertion that "most of you are based in the US" and that the FBI is breathing down your neck? Are you worried about law enforcement (particularly U.S. law enforcement)?
No, that's not true. Most of us are based in EU and Eastern Europe.
What kind of pressure has law enforcement had on you there?
Law enforcement really isn't that big of a deal for us here.
Are there hacking operations you've seen that you think go too far?
Only time I think we went a bit too far was the American Airlines incident.
Tell me more.
Well, we accidentally got some F-16s to escort [Sony Online Entertainment president] John Smedley's plane.
And that was too much because…?
Well — didn't expect the fighter jets.
Like, there was the possibility of someone getting hurt, you mean? Or things spiraled a bit out of control?
[A long pause.]
Well, that was going a bit overboard.
I see. Seems like between the initial Sony hack, this latest Xbox Live/PlayStation Network attack, and now Tor, Lizard Squad is increasing its activity. Is this a conscious strategic decision?
Well, we're definitely ramping up our activities. But it's not really a conscious decision.
What do you say to critics who say you're claiming credit for the actions of others?
We don't really pay much attention to those critics, they're all people trying to get their 15 minutes of fame on our expense.
And what else do you have planned?
[A long pause. Cleary apologized and said he was on with the BBC at the moment.]
We don't really have any plans set in stone as of right now.