A computer hacker who “took about an hour” to create a program which infiltrated the website of Nike Inc in a “credential stuffing” cyber attack avoided going to jail on Friday.
Antrim Crown Court heard that self-taught computer programmer Andrew Kelly had been asked in an online forum if he could create a program which could hack into the accounts of Nike. “He took that to be a challenge because Nike relied on the largest security firm in the world, and he wanted to see if he could identify some flaws in their systems,” said Judge Alastair Devlin adding that according to the 25-year-old “it took him about an hour to design the program”.
He then sent it to the person who had “challenged” him but he did not use any of the details himself nor did he make any fraudulent purchases from Nike, the court heard.
During his sentencing remarks the judge told the court it was in the spring of 2020 when Nike’s “global security incident response team noticed what is known in IT and online industries as a credential stuffing attack”.
“This was low level and described as probing activity,” said Judge Devlin, adding that at this stage the attack “did not trigger any notable alerts within Nike’s systems”.
He explained how “credential stuffing is a particular type of cyber attack” where stolen account details such as usernames, email addresses and passwords are used to gain unauthorised access to user accounts.
“On April 15th a high volume credential stuffing attack started, using a cache of 1.6 million compromised account details previously obtained from data breaches of third party organisations,” Judge Devlin told the court.
The attack continued over April 16th and 17th when Nike “took action to block the attack”, but the person behind it did not stop until the following day, “presumably because Nike defensive actions meant that the attack was no longer yielding results”.
A fraud assessment found that 277,000 customer accounts had been compromised out of a total of 8.9 credential stuffing attempts, and as a result, “third-party fraudsters were subsequently able to access stored PayPal information”, and with more than 500 attempted fraudulent transactions Nike were swindled out of $108,000. Its remedial work after the credential stuffing stack cost Nike an additional $142,500.
Investigating the stuffing attack, its cyber team was able to identify from a “debt request” an IP address which was traced back to Kelly’s family home at Willowfield Avenue in Coleraine.
Judge Devlin told the court all of the other attacks had been sent through proper servers which disguised the users through location “The bulk of the defendant’s activity was carried out in this way and but for his oversight in permitting a single debt request to come from his true and ultimately traceable IP address he may well not have been able to be traced in the way that he ultimately was,” said the judge.
Officers raided his house at the end of July and when his computer and other devices were seized and examined, police were able to link them and Kelly to the cyber attacks on Nike. Nike investigators were also able to find evidence of Kelly “boasting online about his expertise in hacking major websites”, while an examination of his computer’s files and folders found lists of thousands of proxy IP addresses.
“More detailed evidence as to exactly how his computer was used to attack Nike is no longer available because on May 1st, 2020, his computer had been securely wiped, presumably by the defendant himself,” said Judge Devlin.
Arrested and interviewed Kelly later entered guilty pleas to a total of seven offences including that he “knowingly caused a computer to perform a function with intent to secure unauthorised access to a program or data held in a computer, namely a computer operated by Nike Inc, with intent to commit or facilitate a further offence”.
The 25-year-old also admitted hacking into computer programs and data held by The Cooperative Group, Ubisoft entertain SA, a computer hosting the game Escape from Tarkov and Reddit.
In other charges, all of which were committed between March 1st and August 1st, 2020, Kelly also confessed to one count of making a computer program “described as R6 Checker.exe, intending it to be used for commuter misuse” and one count of having articles in connection with fraud namely “email addresses and passwords contained in a file named ?120k Fresh HQ Combolist email-pass [Netflix,Minecraft,Uplay,Steam,Hulu,spotify.txt].”
Those other charges, said the judge, also related to a list of data gleaned by the defendant for potential use in credit stuffing attacks, but while clearly criminal and “demonstrates the defendant’s technical ability, the prosecution also accepts there was no ulterior fraudulent intention and that none of the results had been used for fraudulent purposes”.
The court heard the when the police arrived and seized Kelly’s computer it was in the process of running two credit stuffing programs in relation to the online game Escape from Tarkov and Reddit, the world’s largest discussion forum.
While the Reddit attack was designed to upvote and downvote certain comments and was unlikely to yield any financial gain, the judge explained that according to experts it could be used as a litmus test for details to be used in other credit stuffing attacks.
During interviews Kelly told police he had no formal qualifications but spent upwards of seven hours a day on his computer so had taught himself programming, and when an online user asked him about creating the Nike attack program “he saw that as a challenge”.
Judge Devlin said it was clear from the reports that Kelly has a “psychological background” in that experts believe he is likely to be on the autistic spectrum, and since the offending came to light he has not committed further offences and has got a job as a software engineer for a medical professional company, where he is an “integral part of the team.”
The judge said other factors he was taking into consideration was Kelly’s “genuine” expressions of remorse, his guilty pleas, clear record, good work record and that he did not personally gain financially.
Although he imposed a 16-month prison sentence Judge Devlin said given the accumulation of mitigating factors it warranted an exceptional approach so he suspended the prison sentence for four years.
He also imposed a three-year serious crime prevention order which imposes various conditions on Kelly designed to prevent further offences.
- Sign up for push alerts and have the best news, analysis and comment delivered directly to your phone
- Join The Irish Times on WhatsApp and stay up to date
- Listen to our Inside Politics podcast for the best political chat and analysis