Researchers ID Hacktivist Who Defaced Nearly 5,000 Websites

Opsec mistakes lead a Check Point researcher to an individual in Brazil who was behind a longtime hacking campaign.

A politically motivated hacktivist who since 2013 defaced nearly 5,000 websites in 40-plus countries has been tripped up by a series of operational security mistakes he made during his seven-year hacking spree.

Security researchers at Check Point Software Technologies, who were commissioned by a foreign government to hunt down the hacker, this week identified him as a 20-something individual living in the municipality of Uberlandia in Brazil.

The security vendor did not release the name of the hacker, citing privacy reasons. But Check Point claimed that it had notified Brazilian law-enforcement authorities about the individual and his activities. It's unclear whether Check Point's information has resulted in the hacktivist's arrest.

The hacker, who used the handle "VandatheGod," defaced websites belonging to governments in Brazil, Argentina, Thailand, Vietnam, and dozens of other countries. Over the last year, a majority of his targets – 57% — were US-based and included websites belonging to cities, states, and healthcare organizations.

Many — but not all — of the attacks appear to have been motivated by anti-government sentiment. The messages the hacktivist left on defaced websites suggest they were carried out to express opposition to what he perceived as social injustices perpetrated by governments worldwide, Check Point said in a newly published report on how its researchers tracked down VandaTheGod.

According to the security vendor, its investigation showed that while anti-government sentiment was a major driving factor, the hacker was also motivated by other reasons. One of them was to try and achieve a personal goal he had set for himself of defacing 5,000 websites worldwide. Data from a service that maintains a record of web defacement incidents showed that VandaTheGod had defaced some 4,820 sites since 2013.

"While most of these websites were hacked by mass scanning the Internet for known vulnerabilities, the list also includes numerous government and academic websites, which VandaTheGod seems to have deliberately selected," Check Point said in its report.

At least a few of VandaTheGod's attacks appear to have been financially motivated as well. In one incident, for instance, the hacker claimed to have accessed records of one million patients in New Zealand, which he put up for sale for $200. He also appears to have stolen credit card data and sensitive personal information. "This hacker was initially motivated by a strong anti-government ideology," says Lotem Finkelsteen, Check Point's manager of threat intelligence. But as with most cybercriminals, he pivoted to other malicious activity, Finkelsteen says. "He picked his targets based on popular news and opportunities he found."

Opsec Mistakes

VandaTheGod's extensive tweets and his social media activity are what ultimately led to his exposure. Check Point researchers analyzing his activity discovered that he had operated under multiple aliases in the past including Vanda de Assis and SH1N1NG4M3. They discovered many of his tweets were in Portuguese and contained references to his being part of the so-called Brazilian Cyber Army (BCA). Screenshots of websites he defaced would often contain the logo of the BCA.

One such screenshot contained an open Facebook tab with the Vanda De Assis's name on it. The led Check Point researchers to a Facebook profile from which they were able to get information tying profile with the Twitter accounts the hacker operated. The screen shot also revealed the initials M.R, which Check Point researchers surmised referred to the hacker's true identity. The theory was based on the fact that a first name matching these initials appeared in several other screenshots the hacker had posted.

A subsequent search on Facebook for people named M.R ultimately led Check Point researchers to one belonging to an individual in Uberlandia and which also contained a BCA logo. The researchers had already previously established the hacker was likely a native of Uberlandia based on information he provided when registering his VandaTheGreat domain.

The researchers were also able to dig up other information from the hacker's public posts on Twitter and Facebook — including photos of his living room from different angles — that allowed them to establish a firm connection between the individual named M.R and VandaTheGod. According to the security vendor, the data its researchers gathered establish with a high degree of certainty that VandaTheGreat and M.R are one and the same individual.

Finkelsteen says the research took a few weeks to complete. "We are well trained to do it and we have done it several times over the past years," he says.

Related Content:


Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register