Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:10 PM
Connect Directly

Researchers ID Hacktivist Who Defaced Nearly 5,000 Websites

Opsec mistakes lead a Check Point researcher to an individual in Brazil who was behind a longtime hacking campaign.

A politically motivated hacktivist who since 2013 defaced nearly 5,000 websites in 40-plus countries has been tripped up by a series of operational security mistakes he made during his seven-year hacking spree.

Security researchers at Check Point Software Technologies, who were commissioned by a foreign government to hunt down the hacker, this week identified him as a 20-something individual living in the municipality of Uberlandia in Brazil.

The security vendor did not release the name of the hacker, citing privacy reasons. But Check Point claimed that it had notified Brazilian law-enforcement authorities about the individual and his activities. It's unclear whether Check Point's information has resulted in the hacktivist's arrest.

The hacker, who used the handle "VandatheGod," defaced websites belonging to governments in Brazil, Argentina, Thailand, Vietnam, and dozens of other countries. Over the last year, a majority of his targets – 57% — were US-based and included websites belonging to cities, states, and healthcare organizations.

Many — but not all — of the attacks appear to have been motivated by anti-government sentiment. The messages the hacktivist left on defaced websites suggest they were carried out to express opposition to what he perceived as social injustices perpetrated by governments worldwide, Check Point said in a newly published report on how its researchers tracked down VandaTheGod.

According to the security vendor, its investigation showed that while anti-government sentiment was a major driving factor, the hacker was also motivated by other reasons. One of them was to try and achieve a personal goal he had set for himself of defacing 5,000 websites worldwide. Data from a service that maintains a record of web defacement incidents showed that VandaTheGod had defaced some 4,820 sites since 2013.

"While most of these websites were hacked by mass scanning the Internet for known vulnerabilities, the list also includes numerous government and academic websites, which VandaTheGod seems to have deliberately selected," Check Point said in its report.

At least a few of VandaTheGod's attacks appear to have been financially motivated as well. In one incident, for instance, the hacker claimed to have accessed records of one million patients in New Zealand, which he put up for sale for $200. He also appears to have stolen credit card data and sensitive personal information. "This hacker was initially motivated by a strong anti-government ideology," says Lotem Finkelsteen, Check Point's manager of threat intelligence. But as with most cybercriminals, he pivoted to other malicious activity, Finkelsteen says. "He picked his targets based on popular news and opportunities he found."

Opsec Mistakes

VandaTheGod's extensive tweets and his social media activity are what ultimately led to his exposure. Check Point researchers analyzing his activity discovered that he had operated under multiple aliases in the past including Vanda de Assis and SH1N1NG4M3. They discovered many of his tweets were in Portuguese and contained references to his being part of the so-called Brazilian Cyber Army (BCA). Screenshots of websites he defaced would often contain the logo of the BCA.

One such screenshot contained an open Facebook tab with the Vanda De Assis's name on it. The led Check Point researchers to a Facebook profile from which they were able to get information tying profile with the Twitter accounts the hacker operated. The screen shot also revealed the initials M.R, which Check Point researchers surmised referred to the hacker's true identity. The theory was based on the fact that a first name matching these initials appeared in several other screenshots the hacker had posted.

A subsequent search on Facebook for people named M.R ultimately led Check Point researchers to one belonging to an individual in Uberlandia and which also contained a BCA logo. The researchers had already previously established the hacker was likely a native of Uberlandia based on information he provided when registering his VandaTheGreat domain.

The researchers were also able to dig up other information from the hacker's public posts on Twitter and Facebook — including photos of his living room from different angles — that allowed them to establish a firm connection between the individual named M.R and VandaTheGod. According to the security vendor, the data its researchers gathered establish with a high degree of certainty that VandaTheGreat and M.R are one and the same individual.

Finkelsteen says the research took a few weeks to complete. "We are well trained to do it and we have done it several times over the past years," he says.

Related Content:


Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-04
An exploitable information disclosure vulnerability exists in SoftPerfect’s RAM Disk 4.1 spvve.sys driver. A specially crafted I/O request packet (IRP) can cause the disclosure of sensitive information. An attacker can send a malicious IRP to trigger this vulnerability.
PUBLISHED: 2020-08-04
An issue was discovered on Swisscom Internet Box 2, Internet Box Standard, Internet Box Plus prior to 10.04.38, Internet Box 3 prior to 11.01.20, and Internet Box light prior to 08.06.06. Given the (user-configurable) credentials for the local Web interface or physical access to a device's plus or r...
PUBLISHED: 2020-08-04
Delta Industrial Automation CNCSoft ScreenEditor, Versions 1.01.23 and prior. Multiple stack-based buffer overflow vulnerabilities may be exploited by processing specially crafted project files, which may allow an attacker to read/modify information, execute arbitrary code, and/or crash the applicat...
PUBLISHED: 2020-08-04
Delta Industrial Automation CNCSoft ScreenEditor, Versions 1.01.23 and prior. Multiple out-of-bounds read vulnerabilities may be exploited by processing specially crafted project files, which may allow an attacker to read information.
PUBLISHED: 2020-08-04
Delta Industrial Automation CNCSoft ScreenEditor, Versions 1.01.23 and prior. An uninitialized pointer may be exploited by processing a specially crafted project file. Successful exploitation of this vulnerability may allow an attacker to read/modify information, execute arbitrary code, and/or crash...