It’s one thing for hackers to target websites and proudly announce it on social media platforms for all to see. It’s, however, an entirely different thing to leave a digital trail that leads cybersecurity researchers right to their doorsteps.
That’s exactly what happened in the case of a hacktivist under the name of VandaTheGod, who has been attributed to a series of attacks on government websites since July 2019.
In a report shared with The Hacker News, researchers from Check Point said they were able to map VandaTheGod’s activity over the years, and eventually zero down the attacker’s real identity to a Brazilian individual from the city of Uberlândia.
The cybersecurity firm said it notified concerned law enforcement of its findings for further action, adding the social media activities on profiles associated with VandaTheGod came to a halt towards the end of 2019.
A Long Social Media Trail
VandaTheGod has a long history of going after government websites, universities, and healthcare providers. Notably, the attacker claimed to have breached the database of New Zealand’s Tū Ora Compass Health and offered medical details of one million patients for sale on Twitter last October.
The hacker in question, allegedly part of the “Brazilian Cyber Army” (BCA), has also vandalized dozens of websites to spread anti-government messages, in addition to displaying BCA’s logo in screenshots of compromised accounts and websites.
“Many of the messages left on the defaced websites implied that the attacks were motivated by anti-government sentiment, and were carried out to combat social injustices that the hacker believed were a direct result of government corruption,” the researchers said.
What’s more, a timeline of VandaTheGod’s tweets shows that the person enjoyed the attention from media reports mentioning the hacking endeavors, even going to the extent of stating that “I will stop hacking websites” once the total reaches 5,000.
“VandaTheGod didn’t just go after government websites, but also launched attacks against public figures, universities, and even hospitals. In one case, the attacker claimed to have access to the medical records of 1 million patients from New Zealand, which were offered for sale for $200,” the researchers said.
According to Zone-H records, a security portal that holds an archive of all web intrusions, there are currently 4,820 entries of hacked websites linked to VandaTheGod, most of which belongs to individuals and entities in the United States, Australia, Netherlands, Italy, South Africa, Canada, UK, and Germany.
Check Point said they worked by tracking down the WHOIS information for the domain “VandaTheGod.com,” which led them to an email address (“fathernazi@gmail.com”) that was used to register other websites, such as “braziliancyberarmy.com.”
But what ultimately gave away VandaTheGod’s real identity were a couple of screenshots that were uploaded to Twitter, from which the researchers identified a Facebook profile belonging to the attacker (“Vanda De Assis”) as well as the person’s real name — identified only by the initials M. R.
Consequently, the researchers said they were able to identify a number of cross-posts between the Facebook profile tied to M. R. and that of Vanda De Assis, including photos of the individual’s living room, proving that both the M.R. and VandaTheGod accounts were controlled by the same individual.
“VandaTheGod succeeded in carrying out many hacking attacks, but ultimately failed from the OPSEC perspective, as he left many trails that led to his true identity, especially at the start of his hacking career,” Check Point researchers concluded.
“Ultimately, we were able to connect the VandaTheGod identity with high certainty to a specific Brazilian individual from the city of Uberlândia, and relay our findings to law enforcement to enable them to take further action.”