Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:10 PM
Connect Directly

Researchers ID Hacktivist Who Defaced Nearly 5,000 Websites

Opsec mistakes lead a Check Point researcher to an individual in Brazil who was behind a longtime hacking campaign.

A politically motivated hacktivist who since 2013 defaced nearly 5,000 websites in 40-plus countries has been tripped up by a series of operational security mistakes he made during his seven-year hacking spree.

Security researchers at Check Point Software Technologies, who were commissioned by a foreign government to hunt down the hacker, this week identified him as a 20-something individual living in the municipality of Uberlandia in Brazil.

The security vendor did not release the name of the hacker, citing privacy reasons. But Check Point claimed that it had notified Brazilian law-enforcement authorities about the individual and his activities. It's unclear whether Check Point's information has resulted in the hacktivist's arrest.

The hacker, who used the handle "VandatheGod," defaced websites belonging to governments in Brazil, Argentina, Thailand, Vietnam, and dozens of other countries. Over the last year, a majority of his targets – 57% — were US-based and included websites belonging to cities, states, and healthcare organizations.

Many — but not all — of the attacks appear to have been motivated by anti-government sentiment. The messages the hacktivist left on defaced websites suggest they were carried out to express opposition to what he perceived as social injustices perpetrated by governments worldwide, Check Point said in a newly published report on how its researchers tracked down VandaTheGod.

According to the security vendor, its investigation showed that while anti-government sentiment was a major driving factor, the hacker was also motivated by other reasons. One of them was to try and achieve a personal goal he had set for himself of defacing 5,000 websites worldwide. Data from a service that maintains a record of web defacement incidents showed that VandaTheGod had defaced some 4,820 sites since 2013.

"While most of these websites were hacked by mass scanning the Internet for known vulnerabilities, the list also includes numerous government and academic websites, which VandaTheGod seems to have deliberately selected," Check Point said in its report.

At least a few of VandaTheGod's attacks appear to have been financially motivated as well. In one incident, for instance, the hacker claimed to have accessed records of one million patients in New Zealand, which he put up for sale for $200. He also appears to have stolen credit card data and sensitive personal information. "This hacker was initially motivated by a strong anti-government ideology," says Lotem Finkelsteen, Check Point's manager of threat intelligence. But as with most cybercriminals, he pivoted to other malicious activity, Finkelsteen says. "He picked his targets based on popular news and opportunities he found."

Opsec Mistakes

VandaTheGod's extensive tweets and his social media activity are what ultimately led to his exposure. Check Point researchers analyzing his activity discovered that he had operated under multiple aliases in the past including Vanda de Assis and SH1N1NG4M3. They discovered many of his tweets were in Portuguese and contained references to his being part of the so-called Brazilian Cyber Army (BCA). Screenshots of websites he defaced would often contain the logo of the BCA.

One such screenshot contained an open Facebook tab with the Vanda De Assis's name on it. The led Check Point researchers to a Facebook profile from which they were able to get information tying profile with the Twitter accounts the hacker operated. The screen shot also revealed the initials M.R, which Check Point researchers surmised referred to the hacker's true identity. The theory was based on the fact that a first name matching these initials appeared in several other screenshots the hacker had posted.

A subsequent search on Facebook for people named M.R ultimately led Check Point researchers to one belonging to an individual in Uberlandia and which also contained a BCA logo. The researchers had already previously established the hacker was likely a native of Uberlandia based on information he provided when registering his VandaTheGreat domain.

The researchers were also able to dig up other information from the hacker's public posts on Twitter and Facebook — including photos of his living room from different angles — that allowed them to establish a firm connection between the individual named M.R and VandaTheGod. According to the security vendor, the data its researchers gathered establish with a high degree of certainty that VandaTheGreat and M.R are one and the same individual.

Finkelsteen says the research took a few weeks to complete. "We are well trained to do it and we have done it several times over the past years," he says.

Related Content:


Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: "The truth behind Stonehenge...."
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-01
EPrints 3.4.2 allows remote attackers to execute OS commands via crafted LaTeX input to a cgi/cal?year= URI.
PUBLISHED: 2021-03-01
EPrints 3.4.2 exposes a reflected XSS opportunity in the dataset parameter to the cgi/dataset_dictionary URI.
PUBLISHED: 2021-03-01
EPrints 3.4.2 allows remote attackers to read arbitrary files and possibly execute commands via crafted JSON/XML input to a cgi/ajax/phrase URI.
PUBLISHED: 2021-03-01
EPrints 3.4.2 allows remote attackers to execute arbitrary commands via crafted input to the verb parameter in a cgi/toolbox/toolbox URI.
PUBLISHED: 2021-03-01
An issue was discovered in Veritas Backup Exec before 21.2. The communication between a client and an Agent requires successful authentication, which is typically completed over a secure TLS communication. However, due to a vulnerability in the SHA Authentication scheme, an attacker is able to gain ...