Cyber Incident Victim: Google Vietnam
Date:
Feb 2015
Location:
Viet Nam
Summary
The Google Vietnam domain was temporarily hijacked by the Lizard Squad group, redirecting users to a page promoting their DDoS-for-hire service and displaying a message referencing affiliated individuals. The attackers altered the search engine's Vietnamese DNS records to point to CloudFlare servers via an IPv6 address, disrupting access and causing erroneous redirections. Google confirmed the incident and resolved it by coordinating with the domain management organization. Lizard Squad, known for targeting gaming networks, expanded its activities to include this domain compromise and previously claimed disruptions to other platforms, though some outages were disputed by affected companies. The incident highlighted emerging risks associated with IPv6 infrastructure in malicious domain manipulations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On February 23, 2015, users attempting to access Google Vietnam’s domain (google.com.vn) were redirected to a webpage hosted on DigitalOcean servers displaying a message from the hacker group Lizard Squad. The unauthorized page featured an image of a Caucasian man holding an iPhone alongside text claiming responsibility for the hack. The message promoted the sale of distributed denial-of-service (DDoS) attack tools via a link to lizardstresser.su and included shout-outs to individuals and groups such as Brian Krebs, HTP, and Rory Andrew Godfrey. It also directed users to follow Lizard Squad’s Twitter account, @LizardCircle. Security firm OpenDNS confirmed the attackers altered Google Vietnam’s DNS settings, changing them from Google’s name servers (ns1.google.com, ns2.google.com) to CloudFlare’s IPv6 addresses (173.245.59.108, 173.245.58.166). This redirection caused an outage for Vietnamese users, preventing access to Google’s services. OpenDNS noted the use of IPv6—a protocol designed to address IPv4 address exhaustion—was unusual, speculating it could have been an attempt to bypass legacy security tools or reflected limited IPv4 availability from hosting providers.
Google acknowledged the incident through a spokesperson, confirming users experienced connection issues or unintended redirections for a brief period. The company stated it contacted the organization managing the domain name and resolved the problem. Lizard Squad publicly referenced the attack via a tweet from their account, asking followers if google.com.vn “looks a little different today” and linking to the defaced page. The group, known primarily for DDoS attacks against gaming networks like Xbox Live and PlayStation Network, had recently expanded its targets to include Malaysian Airlines and social media platforms. In January 2015, they claimed responsibility for outages affecting Facebook, Instagram, and Tinder, though Facebook denied their involvement. The Google Vietnam incident highlighted Lizard Squad’s shift toward high-profile domain hijackings and their use of emerging infrastructure like IPv6. OpenDNS warned that IPv6-based malicious activity would likely increase as server providers phased out IPv4 address options. The disruption ended after Google and its domain management partner restored correct DNS configurations.