The cyber-assaults disabling Sony PlayStation and Microsoft's Xbox game consoles may have been done by hackers 'for laughs' - but is something more sinister going on?
Every week, Ann and Jim Johnson put away a few pounds in their Christmas club.
There’s not a great deal of slack in this family’s budget – he is a bus driver, she is a care assistant – but just before dawn on December 25th, their four months of saving was rewarded with the looks on their children’s faces as they unwrapped their presents. “That was the high point,” said Ann. “But it only lasted about ten minutes.” Their younger daughter got a doll’s house, their middle son a bike. But their oldest, Jamie, got a Sony PlayStation 4 – followed by several hours of anguished, then tearful, failure to make it work properly. “He wanted to play with his friends and he couldn’t,” said Ann. “We don’t have a lot of free time together with the kids and it did spoil things for everyone. It wasn’t a great Christmas.”
The Johnsons (not their real names), from south London, didn’t realise until yesterday that their Christmas happiness, and tens of thousands of other people’s, appears to have been deliberately attacked, by a group calling themselves Lizard Squad. The eponymous reptiles claimed credit for disabling both the Sony gaming website – which you need to get all the functions of the PlayStation – and the rival site used by Microsoft to activate and link up its Xbox gaming system. Even three days later, Sony’s still wasn’t quite back to normal.
It was the second disastrous cyberassault on Sony in a month, after vast quantities of confidential emails and documents from the company’s motion picture arm were stolen and published online, to its huge embarrassment. This one was probably unrelated and certainly less sophisticated – not even strictly a hack, involving the theft of data, but merely the swamping of Sony's and Microsoft’s websites with massive, disabling amounts of fake traffic in a so-called “distributed denial of service.”
In the four or so months since they first came to public attention, Lizard Squad have taken (they claim) Sony’s gaming network offline several times, tweeted a threat against an airliner on which the company’s president of online entertainment was travelling (it had to make an emergency landing), and even announced that they had “planted the Isis flag” on Sony’s servers.
Despite all this, however, the real origins of the group may lie not in Iraq, Syria, or the exotic world of international terrorism, but in the slightly more prosaic surroundings of Twickenham. Here, in his parents’ semi-detached house not far from the River Thames, lives a young man named online as one of the key figures in Lizard Squad. His birthday, incidentally, is December 24, the same day as the latest attacks started. The telephone at his home was not answered yesterday.
Another British member of the group is said to live in Meopham, Kent; four others are said to be American. According to his Facebook page, the possible Twickenham lizard did his A-levels at Richmond-upon-Thames College, his degree at Kingston University and worked for an office equipment company before becoming a “computer forensics analyst” at an outfit linked to the racist and homophobic hacking of another gaming site.
A British-accented man of the same age, who said he had also just celebrated a birthday, gave an interview to BBC Radio Five Live on Friday, claiming to be Lizard Squad’s “Member Two”. In his BBC interview, the supposed Second Lizard presented the attack as a sort of public service, his and his associates’ way of exposing corporate security weaknesses and ensuring that the people of Britain got closer to the things that really mattered about the festive season.
“Is Christmas really about children playing with their new consoles, or is it about spending time with their families and celebrating Christmas?” he said. Sony and Microsoft “were told this would come on Christmas Day, but they just let it go over their heads and they couldn’t protect themselves against people who have barely lived”.
The real motive may be rather less high-minded, of course: as someone claiming to speak for Lizard Squad told the WinBeta website, they began the attacks “for laughs”. And as the purported British lizard also conceded in his interview, the group started the attacks “because they could”, adding: “I wouldn’t really call myself a top-grade hacker, but I think I know my stuff and this just proves it.”
Yet in one sense, the lizards may be at least a little bit right to claim that they have done us all a favour. By spoiling so many Christmases, Lizard Squad may have done more than anything else to alert the public to the new form of warfare now being waged by fibreoptics rather than firepower.
Over the last 12 months, this cold war has greatly warmed up, with a number of events far more significant than the Christmas hack of the games networks. Above all, of course, this month the United States for the first time directly accused another country, North Korea, of mounting a cyber-attack on its soil.
As Mike Rogers, chair of the US House of Representatives Intelligence Committee, points out, both China and Iran have been mounting “industrial-scale” cyber-assaults for several years, but Washington has been reluctant to accuse them directly. Now, however, a political, as much as an actual, milestone has been passed.
In Britain, too, the threat has hardened and toughened. Nick Coleman, global head of cyber security intelligence at IBM and the former Government lead on the issue at the Cabinet Office, says: “If we go back five years, people were trying things in their bedrooms and that seemed to be the exciting stuff.
“This has matured on to where we are talking about a targeted situation, a criminal issue, and these people are relatively well organised now. They almost have businesses with a common structure. They have people who look after HR. They have people who look after finance. These are properly run organisations in some respects, so much more sophisticated.”
Britain’s latest information security breaches survey, compiled by PricewaterhouseCoopers for the Government, suggests that the cost of such breaches has almost doubled in the last year, averaging £600,000 to £1.15 million for each breach suffered by a large company. More than half of all large businesses in Britain, the survey found, were attacked by unauthorised outsiders last year, and 81 per cent had some sort of information security breach. And these findings are only, of course, as good as the responses to the survey: many victims will not answer honestly, or at all, for fear of exposing their weaknesses and undermining confidence.
The grave vulnerability of modern networked power and communications systems; of the internet, on which so much commerce rests; and above all of banks - whose money is now nearly always electronic, not physical – has been recognised in the British Government’s £860 million National Cyber Security Programme.
None of these vulnerabilities has been exploited on a large scale in the UK yet (not as far as we know, anyway; in classic British fashion, we might not be told if it had happened.) But it has happened in other places. Part of the reason given by the FBI for being certain that North Korea was to blame for the Sony Pictures hack in America is that the attack matches key features of cyber-assaults made by the North on South Korea’s banking system, which did disable several medium-sized banks for weeks. Luckily, most South Koreans have accounts at more than one bank; any similar attack in Britain would cause chaos, or worse.
Distressing as the Christmas hack was, having to dig out old-fashioned steam board games was surely better than having to dig out candles and lanterns, as a more serious attack might have required. Some people even enjoyed the unexpected break from electronic amusement. “I talked to my wife. She seems nice,” said one person on Twitter.
In the new warming cyberwar, the key gaps, in Britain and across the Western world, are awareness and sufficient trained personnel. If the attack that spoiled Christmas raises awareness, it may not be a wholly unwanted gift.
110 Reykjavik, Iceland