Above: The Ubuntu desktop demonstrating the National Security website hack posted by the account claiming responsibility for the intrusion. Text is in Portugese.
As reported by the TT Computer Society (TTCS), a total of seven government websites have been compromised by hackers and are now offline.
The TTCS shared its findings online early on Thursday morning after trying unsuccessfully to notify the Ministry of National Security about the issue. The TTCS continues to monitor the issue and issued periodic posts notifying of changes.
Claiming the credit for the hacks is VandatheGod, who tweets regularly about sites that have been compromised. The account is part of a circle of hackers who identify themselves as the Brazilian Cyber Army and the hacker claiming responsibility for the attacks appears to target the websites of officials and authority, leaving behind images that raise a literal middle finger to governments.
According to Zone-H, an independent website that tracks compromised websites, VandatheGod has been responsible for 3,642 attacks on websites.
Within the hour, the hacker has claimed responsibility for hacking into and inserting a text file into the website of the TT Mediation Board as well as the tenders website for Powergen earlier today.
The speed and efficiency associated with these hacks, their claims on Zone-H and subsequent tweets suggest a surprisingly well-oiled engine of destruction and despoiling.
The full list of compromised websites as of this posting is; ttps.gov.tt, tourism.gov.tt, csp.gov.tt, opm-gca.gov.tt, nationalenergy.tt, immigration.gov.tt, nationalsecurity.gov.tt, ag.gov.tt, moe.gov.tt, nedco.gov.tt and tatt.org.tt.
According to a review of domain data by TTCS founding director Dev Anand Teelucksingh, the sites are all running a version of Windows Server 2012 with IIS 8.5 (Internet Information Services is Microsoft’s Web Server software). TATT is running IIS10.
Windows Server 2012 hit end-of-life in October 2018, but extended support is available from Microsoft until 2022. Microsoft has been encouraging companies to migrate to Azure for their web service needs for years now.
The websites were being served by DotNetNuke or DNN, a Windows based content management system (CMS).
Several of the affected websites were build by Design Business of Maracas St Joseph. That company’s website also went down briefly but came back up hours later, though I was unable to send a message through their contact webform, which reported an error.
I’ve sent a request for comment on the incident through their info email with no response at this writing.
Digital Business has also built websites for Colfire, Republic Bank, National Gas and the Unit Trust according to their web presence.
As of this writing, all the affected TT Government websites remain offline.
It’s worth noting that almost all of these incidents of digital intrusion are focused on Windows Server 2012 installations by governance authorities. This does not mean that the underlying domains of either .gov.tt or .tt are exposed to exploitation, the attacks target vulnerable web servers running on those local domains.
The TTCS has compiled a list of intrusions since Thursday morning from the records of Zone-H. It is reproduced with the organisation’s permission.
Websites | Date of defacement (approximate) | Server (According to Zone H) | Web Server (according to Zone H) | IP Location (according to Zone H) | Location | CMS | Developer | Hacker claiming responsibility |
http://immigration.gov.tt | 25/07/2019 | Win2012 | IIS/8.5 | 66.132.247.250 | CA | DNN | http://digitalbusiness.com/ | VandaTheGod |
http://nationalsecurity.gov.tt | 25/07/2019 | Win2012 | IIS/8.5 | 190.213.84.138 | TT | DNN | http://digitalbusiness.com/ | VandaTheGod |
http://ag.gov.tt | 25/07/2019 | Win2008 | IIS/7.5 | 190.58.135.118 | TT | DNN | VandaTheGod | |
http://moe.gov.tt | 25/07/2019 | 190.58.156.85 | TT | DNN | VandaTheGod, M3sicth | |||
http://nedco.gov.tt | 25/07/2019 | Win2012 | IIS/8.5 | 8.14.136.101 | US | VandaTheGod, M3sicth | ||
http://tatt.org.tt | 25/07/2019 | Win2016 | IIS/10.0 | 64.239.18.7 | US | DNN | http://digitalbusiness.com/ | VandaTheGod |
https://ttps.gov.tt | 25/07/2019 | Win2012 | IIS/8.5 | 216.157.39.186 | US | DNN | VandaTheGod, ErrOr SquaD | |
http://tourism.gov.tt | 25/07/2019 | Win2012 | IIS/8.5 | 216.157.38.28 | US | DNN | VandaTheGod | |
http://csp.gov.tt | 25/07/2019 | Win2012 | IIS/8.5 | 64.239.71.158 | US | DNN | http://digitalbusiness.com/ | VandaTheGod |
http://opm-gca.gov.tt | 25/07/2019 | Win2012 | IIS/8.5 | 66.132.137.53 | CA | DNN | VandaTheGod | |
http://nationalenergy.tt | 25/07/2019 | Win2012 | IIS/8.5 | 216.157.38.201 | US | DNN | VandaTheGod | |
www.mediationboard-tt.org | 25/07/2019 | Win2012 | IIS/8.5 | 216.157.38.201 | US | DNN | http://digitalbusiness.com/ | VandaTheGod |
http://www.gillspanshop.com/ | 25/07/2019 | Win2012 | IIS/8.5 | 216.157.38.28 | US | DNN | http://digitalbusiness.com/ | VandaTheGod |
www.digitaltassaapp.com | 25/07/2019 | Win2012 | IIS/8.5 | 216.157.38.201 | US | http://digitalbusiness.com/ | VandaTheGod | |
http://osha.gov.tt/ | 25/07/2019 | Win2012 | IIS/8.5 | 64.239.71.123 | US | VandaTheGod, ErrOr SquaD | ||
http://digitalpanapp.com | 26/07/2019 | Win2012 | IIS/8.5 | 216.157.38.201 | US | VandaTheGod | ||
http://www.sgrc.gov.tt/ | 26/07/2019 | Win2012 | IIS/8.5 | 66.132.247.251 | CA | DNN | http://digitalbusiness.com/ | ErrOr SquaD |
http://tenders.powergen.co.tt/ | 26/07/2019 | Win2012 | IIS/8.5 | 216.157.39.195 | US | DNN | http://digitalbusiness.com/ | VandaTheGod |
http://diwalidiyaapp.com | 26/07/2019 | Win2012 | IIS/8.5 | 216.157.38.201 | http://digitalbusiness.com/ | |||
Information compiled by Trinidad and Tobago Computer Society (https://ttcs.tt) using information from Zone H (http://zone-h.org) |