FBI agents have arrested a 20-year-old man alleged to have been part of a hacking gang that not only launched distributed denial-of-service (DDoS) attacks but also launched a wave of bomb and shooting threats against thousands of schools in the United States and United Kingdom. Timothy Dalton Vaughn of Winston-Salem, North Carolina, is alleged to be a member of the Apophis Squad, a group of self-styled hackers who targeted businesses, institutions and individuals in 2018. Using a variety of online handles including "WantedbyFeds," "Wanted," "HDGZero," "Hacker_R_US" and "Xavier Farbel," Vaughn was allegedly behind a series of bomb and shooting threats, DDoS attacks, website defacements and swatting incidents where armed police units are summoned to a victim's house to investigate a fictitious violent crime. Documents unsealed this week reveal that Vaughn faces an 11-count federal indictment including charges of making interstate threats involving explosives. The indictment makes for chilling reading, and it's easy to imagine how concerned schools and teachers would be to receive emails like this one:
Hello, you have made a choice to not listen to us. I got bullied at this school and you did nothing. Now you will understand the true mean of pain. I am coming into school with 3 bombs, and a .22 hand gun. If I see any staff or student I will shoot them and kill them. When I run out of bullets, I will slit there throats and watch them bleed out on the floor. If I see any police at the school I will blowup the bombs.
Or this, which refers to the genuine mass-shooting at Columbine High School in 1999:
Hello, a male student will be sent into your campus as you start the day, he will look normal but what is in his bag is a bomb. The explosive that is in the two plastic bottles is called ANFO it is a very powerful explosive. The point is that when you put the school on lockdown this student will set off the bomb, and will kill EVERY student in the room and maybe the rooms next to it. It has an LDR which is used to stop bag searchs (sic). It will exploded if any light hits the sensor. We follow in the foot steps of our two heros (sic) who died in the Columbine High School shooting. Natural selection is coming and we plan on being the onse (sic) to start it off. We understand that you may want to Contact the FBI or Law enforcement but note, that we have pick 5 schools to do this to, your school could be the one to be hit or it could be a lucky one and gets to be picked at a different time. The point is nobody but us will know which school is to be hit. We also have pressure plated pvc pipes at the exists with 12 gauge shot guns shells so if anyone steps on them it will shot through the student. We will have a sniper watching the exits with concreate (sic) with a ruger 10/22."
The emails, however, were all hoaxes. There were no bombs planted and no chances that students would get hurt. It appears that there were multiple motivations for the attacks from requesting payment from pupils who might be keen to have their schools closed for the day to pointing a finger of suspicion at innocent parties (such as specific Minecraft servers) against which they bore a grudge. If convicted, Vaughn could spend up to 80 years in prison. Vaughn, however, is not thought to have been the sole member of Apophis Squad. Also named in court documents is teenage hacker George Duke-Cohan, who in December was sentenced by a British court to three years in jail after he made hoax bomb threats that closed hundreds of schools. At one point in time, he even claimed a bomb was planted on a United Airlines flight from London to San Francisco.
Apophis Squad sent out threats for months, with numerous incidents detailed in the court filings. For instance, in June 2018, Vaughn and Duke-Cohan are alleged to have sent emails to school districts in the US and UK pretending to be sent from the Mayor of London Sadiq Khan. Their emails said that two rocket-propelled grenades had been placed under two school buses and that four land mines had been planted on school sports fields and around their entrances. The threatening messages claimed that the bombs would be detonated unless school was cancelled. Now, you'd normally expect someone engaged in such criminal behavior as making bomb threats to keep their head down and be careful not to draw too much attention to themselves. Apophis Squad, however, relished being in the spotlight, going so far as to directly tweet Mayor of London Sadiq Khan on the day that they sent out the bogus emails pretending to come from his account.
Apophis Squad also retweeted UK law enforcement updates about school closures caused by the bomb threats.
The picture you get of Apophis Squad is of immature young men laughing at the mayhem they are causing. Vaughn's case is now in the hands of the U.S. legal system, and only time will tell if he is found guilty or not. Duke-Cohan, however, is already serving a three year prison sentence in the UK for his part in Apophis Squad's reign of terror. I suspect he's not finding much to smile about there, and if he one day faces the charges brought against him in the United States, he could face up to 65 years in a U.S. federal prison.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Meet Fortra™ Your Cybersecurity Ally™
Fortra is creating a simpler, stronger, and more straightforward future for cybersecurity by offering a portfolio of integrated and scalable solutions. Learn more about how Fortra’s portfolio of solutions can benefit your business.