Microsoft hacker avoids jail for cyber-attacks

A County Antrim man has been handed a suspended sentence for his role in a series of cyber-attacks when he was a teenager.

Aaron Sterritt, 24, from Brookfield Gardens in Ahoghill, was sentenced to 26 months suspended for three years when he appeared at Antrim Crown Court.

The charges related to a series of distributed denial of service attacks (DDoS) in 2016 against Flowplay, Microsoft (Xbox Live), Rockstar Games, Tumblr and Ottawa Catholic School Board.

Judge Roseanne McCormick KC told the defendant that any further offending would land him in jail.

A distributed denial of service (DDoS) attack is an attempt to take a website offline by overwhelming it with internet traffic.

They have the power to knock whole sites offline and are usually carried out by automated bots or programs.

For the average user, it appears that the site has simply stopped displaying content.

For businesses, it could mean that the online systems they depend upon have ceased to respond and they may be unable to carry out time critical actions.

The attacks often involve analysis of how a website functions before an attack is launched.

Past victims include British Airways, the BBC and Irish National Lottery.

The 24-year-old was also charged with refusing to disclose passwords for his laptop, hard drives and an iPhone on dates between December 2017 and June 2020.

The court heard he was linked to the charges through communications, activity on his devices and by a forensic speech investigator who could connect him to YouTube videos.

Judge Roseanne McCormick KC said an aggravating factor in the case was that the majority of offences were committed while the defendant was on bail for a similar incident.

In 2015, when he was just 15, Aaron Sterritt was arrested for his role in the hacking of telecom giant TalkTalk.

The fallout from the attack cost the company £77m.

A pre-sentencing report outlined how Sterritt was diagnosed with ADHD and autism as a child and faced challenges in his home life.

The court heard that he has a low likelihood of re-offending and had completed a cyber-awareness programme.

Judge McCormick KC said she was “mindful of the fact this is a young offender with specific challenges in his life.

“And mindful that most were committed when he was a child".

She also took into account that the case had taken a long time to come before the court and that the defendant used that time to “better himself”.

Judge McCormick said the offences were “hugely harmful” and “easily passed the custody threshold”.

But there were exceptional circumstances - his guilty pleas, the time the case has been “hanging over his head” and his low chance of re-offending lead her to suspend the sentence.

Following sentencing, the Police Service of Northern Ireland said the case warranted two investigations - one by the PSNI and the other by the National Crime Agency.

Detective Chief Inspector Paul Woods said the cyber attacks in 2016 were "massive" and affected websites and services in the US.

"Aaron Sterritt, at that time a teenager, was one of the suspects, and the only one of the group from Northern Ireland.

"The [PSNI] investigation focused on Sterritt's role in the development of malicious software used to attack networks of vulnerable computer systems globally.

"A further version of malicious software developed by Sterritt exploited device vulnerabilities for the purpose of mining Ethereum cryptocurrency."

Steve Laval, from the NCA's National Cyber Crime Unit, added: "DDoS attacks can have devastating consequences for victims and have become an appealing entry-level crime for offenders like Aaron Sterritt, who need little technical knowledge behind them."