Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/28/2020
05:10 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Researchers ID Hacktivist Who Defaced Nearly 5,000 Websites

Opsec mistakes lead a Check Point researcher to an individual in Brazil who was behind a longtime hacking campaign.

A politically motivated hacktivist who since 2013 defaced nearly 5,000 websites in 40-plus countries has been tripped up by a series of operational security mistakes he made during his seven-year hacking spree.

Security researchers at Check Point Software Technologies, who were commissioned by a foreign government to hunt down the hacker, this week identified him as a 20-something individual living in the municipality of Uberlandia in Brazil.

The security vendor did not release the name of the hacker, citing privacy reasons. But Check Point claimed that it had notified Brazilian law-enforcement authorities about the individual and his activities. It's unclear whether Check Point's information has resulted in the hacktivist's arrest.

The hacker, who used the handle "VandatheGod," defaced websites belonging to governments in Brazil, Argentina, Thailand, Vietnam, and dozens of other countries. Over the last year, a majority of his targets – 57% — were US-based and included websites belonging to cities, states, and healthcare organizations.

Many — but not all — of the attacks appear to have been motivated by anti-government sentiment. The messages the hacktivist left on defaced websites suggest they were carried out to express opposition to what he perceived as social injustices perpetrated by governments worldwide, Check Point said in a newly published report on how its researchers tracked down VandaTheGod.

According to the security vendor, its investigation showed that while anti-government sentiment was a major driving factor, the hacker was also motivated by other reasons. One of them was to try and achieve a personal goal he had set for himself of defacing 5,000 websites worldwide. Data from a service that maintains a record of web defacement incidents showed that VandaTheGod had defaced some 4,820 sites since 2013.

"While most of these websites were hacked by mass scanning the Internet for known vulnerabilities, the list also includes numerous government and academic websites, which VandaTheGod seems to have deliberately selected," Check Point said in its report.

At least a few of VandaTheGod's attacks appear to have been financially motivated as well. In one incident, for instance, the hacker claimed to have accessed records of one million patients in New Zealand, which he put up for sale for $200. He also appears to have stolen credit card data and sensitive personal information. "This hacker was initially motivated by a strong anti-government ideology," says Lotem Finkelsteen, Check Point's manager of threat intelligence. But as with most cybercriminals, he pivoted to other malicious activity, Finkelsteen says. "He picked his targets based on popular news and opportunities he found."

Opsec Mistakes

VandaTheGod's extensive tweets and his social media activity are what ultimately led to his exposure. Check Point researchers analyzing his activity discovered that he had operated under multiple aliases in the past including Vanda de Assis and SH1N1NG4M3. They discovered many of his tweets were in Portuguese and contained references to his being part of the so-called Brazilian Cyber Army (BCA). Screenshots of websites he defaced would often contain the logo of the BCA.

One such screenshot contained an open Facebook tab with the Vanda De Assis's name on it. The led Check Point researchers to a Facebook profile from which they were able to get information tying profile with the Twitter accounts the hacker operated. The screen shot also revealed the initials M.R, which Check Point researchers surmised referred to the hacker's true identity. The theory was based on the fact that a first name matching these initials appeared in several other screenshots the hacker had posted.

A subsequent search on Facebook for people named M.R ultimately led Check Point researchers to one belonging to an individual in Uberlandia and which also contained a BCA logo. The researchers had already previously established the hacker was likely a native of Uberlandia based on information he provided when registering his VandaTheGreat domain.

The researchers were also able to dig up other information from the hacker's public posts on Twitter and Facebook — including photos of his living room from different angles — that allowed them to establish a firm connection between the individual named M.R and VandaTheGod. According to the security vendor, the data its researchers gathered establish with a high degree of certainty that VandaTheGreat and M.R are one and the same individual.

Finkelsteen says the research took a few weeks to complete. "We are well trained to do it and we have done it several times over the past years," he says.

Related Content:

 

 
 
 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Lessons from COVID-19 Cyberattacks: Where Do We Go Next?
Derek Manky, Chief of Security Insights and Global Threat Alliances, FortiGuard Labs,  7/2/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-3931
PUBLISHED: 2020-07-08
Buffer overflow exists in Geovision Door Access Control device family, an unauthenticated remote attacker can execute arbitrary command.
CVE-2020-15600
PUBLISHED: 2020-07-07
An issue was discovered in CMSUno before 1.6.1. uno.php allows CSRF to change the admin password.
CVE-2020-15599
PUBLISHED: 2020-07-07
Victor CMS through 2019-02-28 allows XSS via the register.php user_firstname or user_lastname field.
CVE-2020-8916
PUBLISHED: 2020-07-07
A memory leak in Openthread's wpantund versions up to commit 0e5d1601febb869f583e944785e5685c6c747be7, when used in an environment where wpanctl is directly interfacing with the control driver (eg: debug environments) can allow an attacker to crash the service (DoS). We recommend updating, or to res...
CVE-2020-12821
PUBLISHED: 2020-07-07
Gossipsub 1.0 does not properly resist invalid message spam, such as an eclipse attack or a sybil attack.