Juha Saarinen: Meet VandaTheGod, the hacker that didn't care

The image that appeared on the NZ Institute of Directors' home page after it was hacked by "VandaTheGod".

COMMENT:

A familiar moniker popped up on the radar a few days ago: VandaTheGod.

VandaTheGod is the hacker who in August last year defaced the NZ Institute of Directors' website.

The hacker is also said to have breached systems at Tū Ora Compass , offering up " target="_blank">medical records of one million patients for US$200 each, payable in the Bitcoin crypto-currency.

On Facebook, VandaTheGod used the alias Vanda de Assis and asked for "15 dolar in btc" [sic] for 10 webshells, which are compromised sites under the hacker's control that can be used to host malware, send spam and launch attacks elsewhere.

READ MORE:
• Juha Saarinen: No, Spark isn't profiteering from Covid-19 coronavirus
• Juha Saarinen: Is Apple's new iPad Pro worth $3900?

On the same page, VandaTheGod also claimed to have credit card details for sale. To the surprise of nobody perhaps, Facebook has not taken down VandaTheGod's page.

Over the past seven years, VandaTheGod has enjoyed a free rein, hacking into thousands of mostly government websites, defacing them and taking sensitive personal data.

VandaTheGod claims to be a politically motivated "hacktivist" but protesting against governments by putting people's medical records up for sale doesn't support that.

Stating in public that the goal was to hack 5000 websites with 4820 compromised so far, and being very active on social media points to an opportunist without a real cause, who liked the infamy the data breaches brought.

Seven years is a long time, but now security vendor Check Point says it has worked out VandaTheGod's identity.

By going through VandaTheGod's site defacements over the years, and the many, frequent social media posts the hacker made to boast about them, Check Point tracked down the hacker.

If Check Point is correct, VandaTheGod is "M R", a Brazilian from Uberlândia in the state of Minas Gervais and probably a male who hangs out with hacking groups like UGNazi.

There's plenty of material in the VandaTheGod data collection that points to Brazil, and security researchers are usually careful with attribution. Getting it wrong not only hides the actual digital miscreant, but it could also put innocent people, their families and friends in serious danger.

Hacking and openly taunting governments is, shall we say, not a particularly safe activity.

Even if the government in question adheres to the rule of law and won't send in the paramilitaries and drone hackers, computer crimes carry lengthy sentences, often served out in unpleasant prisons.

What can we learn from Check Point's outing of VandaTheGod?

The obvious thing is that if you're going to hack potentially dangerous opponents, don't post heaps of identifiable information on social media.

You should especially not post screenshots of web browser windows with the sites you're visiting active in tabs, including one that leads to your Facebook page. That's making it really easy for anyone wanting to find you.

This is very, very basic opsec that VandaTheGod appears to have ignored while posting one boast after the other on social media.

Was it a mistake, or did VandaTheGod simply not care? Don't forget the hacker has been active for seven years, defacing and compromising thousands of sites and done the opposite of keeping quiet about it.

The Vanda de Assis Facebook page even says VandaTheGod on it. This kind of attention-seeking behaviour is actually fairly typical of young males sinking deeper and deeper into illegal hacking.

At one stage, they go "oh well, I've come this far and might as well continue". From there, the journey becomes one of self-destruction for the hacker, and at times of huge disruption and damage to organisations, innocent individuals and computer systems.

We'll see who, if anyone, is arrested after Check Point's report, which they were asked to do by an unnamed government.

Letting VandaTheGod and others of the same ilk continue for years and years seems a terrible waste of time, resources and human life though. The signs were out there, loud and clear, and VandaTheGod isn't the only one.