Menu
Browse

Cyber Threat Actor: Rory Andrew Godfrey

Actor Type Location Known Incidents
 Icon
Sensationalist
Malaysia
1 incident
Profile

Rory Andrew Godfrey,also known by the alias associated with the Lizard Squad, is a threat actor whose known location is Malaysia. The actor is publicly linked to the Lizard Squad, a loosely organized hacking collective that has claimed responsibility for various disruptive operations against online services. No further personal details or organizational ties beyond this affiliation are provided in the available sources. The actor’s activities have been observed in the context of targeting domain registration infrastructure to facilitate broader internet‑based disruptions.

The actor’s typical targeting appears to focus on registrars and DNS management platforms, as evidenced by the compromise of Webnic.cc, a registrar popular among underground forums. Strategic objectives observed in the known incident include promoting the actor’s group and causing disruption by redirecting traffic from high‑profile domains to attacker‑controlled pages. The tactics, techniques, and procedures (TTPs) demonstrated involve exploiting a command injection vulnerability to gain initial access, uploading a rootkit to maintain persistence, and altering DNS records to hijack domain resolution. These actions reflect a focus on leveraging legitimate administrative privileges within registrar environments to manipulate traffic flow without relying on custom malware families beyond the rootkit used for persistence.

The most significant publicly reported operation attributed to Rory Andrew Godfrey occurred on February 24 2015, when the actor, acting in concert with the Lizard Squad, exploited the Webnic.cc vulnerability to upload a rootkit and modify DNS settings for Google’s Vietnam domain and Lenovo.com. This manipulation redirected visitors to pages displaying messages that advertised the group’s services, effectively hijacking the traffic of those domains until the rootkit was removed and the DNS changes were reverted. The incident underscored the ongoing security challenges faced by registrars that are frequent targets of underground actors and highlighted how access to registrar systems can be used to achieve broad, visible disruption across the internet.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
0 sources