Cyber Incident Victim: Webnic.cc

On February 23, 2015, attackers associated with the Lizard Squad group hijacked Google’s Vietnam domain (google.com.vn), redirecting visitors to a page claiming responsibility for the hack. The defacement message included references to group members and promoted their Twitter account and Lizard Stresser attack service. Two days later, on February 25, Lenovo.com was similarly compromised, with its HTML source code altered to display a message referencing Ryan King and Rory Andrew Godfrey—individuals previously linked to the defunct Hack The Planet (HTP) group. Both hijacks were attributed to unauthorized access at Webnic.cc, a Malaysian domain registrar managing over 600,000 domains, including those of Google Vietnam and Lenovo. Attackers exploited a command injection vulnerability in Webnic’s systems to upload a rootkit, enabling persistent access and concealment of their activities.

The attackers manipulated Webnic.cc’s domain name system (DNS) records to redirect legitimate traffic for google.com.vn and Lenovo.com to servers under their control. Webnic.cc became inaccessible following the incident, with its technical operations center in Kuala Lumpur confirming an outage but providing no further details. Ryan King and Rory Andrew Godfrey, contacted during the investigation, stated the rootkit had been removed from Webnic’s servers, preventing further hijacks using the same method. Historical context revealed Webnic.cc’s prior targeting by similar threat actors, attributed to its popularity among underground forums hosting stolen data operations. The incident highlighted operational disruptions for both affected companies, though no additional technical specifics about remediation or broader customer impact were disclosed by Webnic.