Hackers compromise eleven government websites

Reading Time: 3 minutes

Above: The Ubuntu desktop demonstrating the National Security website hack posted by the account claiming responsibility for the intrusion. Text is in Portugese.

As reported by the TT Computer Society (TTCS), a total of seven government websites have been compromised by hackers and are now offline.

The TTCS shared its findings online early on Thursday morning after trying unsuccessfully to notify the Ministry of National Security about the issue. The TTCS continues to monitor the issue and issued periodic posts notifying of changes.

Claiming the credit for the hacks is VandatheGod, who tweets regularly about sites that have been compromised. The account is part of a circle of hackers who identify themselves as the Brazilian Cyber Army and the hacker claiming responsibility for the attacks appears to target the websites of officials and authority, leaving behind images that raise a literal middle finger to governments.

According to Zone-H, an independent website that tracks compromised websites, VandatheGod has been responsible for 3,642 attacks on websites.

Within the hour, the hacker has claimed responsibility for hacking into and inserting a text file into the website of the TT Mediation Board as well as the tenders website for Powergen earlier today.
The speed and efficiency associated with these hacks, their claims on Zone-H and subsequent tweets suggest a surprisingly well-oiled engine of destruction and despoiling.

The full list of compromised websites as of this posting is; ttps.gov.tt, tourism.gov.tt, csp.gov.tt, opm-gca.gov.tt, nationalenergy.tt, immigration.gov.tt, nationalsecurity.gov.tt, ag.gov.tt, moe.gov.tt, nedco.gov.tt and tatt.org.tt.
According to a review of domain data by TTCS founding director Dev Anand Teelucksingh, the sites are all running a version of Windows Server 2012 with IIS 8.5 (Internet Information Services is Microsoft’s Web Server software). TATT is running IIS10.

The Digital Business website

Windows Server 2012 hit end-of-life in October 2018, but extended support is available from Microsoft until 2022. Microsoft has been encouraging companies to migrate to Azure for their web service needs for years now.

The websites were being served by DotNetNuke or DNN, a Windows based content management system (CMS).
Several of the affected websites were build by Design Business of Maracas St Joseph. That company’s website also went down briefly but came back up hours later, though I was unable to send a message through their contact webform, which reported an error.

I’ve sent a request for comment on the incident through their info email with no response at this writing.
Digital Business has also built websites for Colfire, Republic Bank, National Gas and the Unit Trust according to their web presence.
As of this writing, all the affected TT Government websites remain offline.

It’s worth noting that almost all of these incidents of digital intrusion are focused on Windows Server 2012 installations by governance authorities. This does not mean that the underlying domains of either .gov.tt or .tt are exposed to exploitation, the attacks target vulnerable web servers running on those local domains.

The TTCS has compiled a list of intrusions since Thursday morning from the records of Zone-H. It is reproduced with the organisation’s permission.

Websites Date of defacement (approximate) Server (According to Zone H) Web Server (according to Zone H) IP Location (according to Zone H) Location CMS Developer Hacker claiming responsibility
http://immigration.gov.tt 25/07/2019 Win2012 IIS/8.5 66.132.247.250 CA DNN http://digitalbusiness.com/ VandaTheGod
http://nationalsecurity.gov.tt 25/07/2019 Win2012 IIS/8.5 190.213.84.138 TT DNN http://digitalbusiness.com/ VandaTheGod
http://ag.gov.tt 25/07/2019 Win2008 IIS/7.5 190.58.135.118 TT DNN VandaTheGod
http://moe.gov.tt 25/07/2019 190.58.156.85 TT DNN VandaTheGod, M3sicth
http://nedco.gov.tt 25/07/2019 Win2012 IIS/8.5 8.14.136.101 US VandaTheGod, M3sicth
http://tatt.org.tt 25/07/2019 Win2016 IIS/10.0 64.239.18.7 US DNN http://digitalbusiness.com/ VandaTheGod
https://ttps.gov.tt 25/07/2019 Win2012 IIS/8.5 216.157.39.186 US DNN VandaTheGod, ErrOr SquaD
http://tourism.gov.tt 25/07/2019 Win2012 IIS/8.5 216.157.38.28 US DNN VandaTheGod
http://csp.gov.tt 25/07/2019 Win2012 IIS/8.5 64.239.71.158 US DNN http://digitalbusiness.com/ VandaTheGod
http://opm-gca.gov.tt 25/07/2019 Win2012 IIS/8.5 66.132.137.53 CA DNN VandaTheGod
http://nationalenergy.tt 25/07/2019 Win2012 IIS/8.5 216.157.38.201 US DNN VandaTheGod
www.mediationboard-tt.org 25/07/2019 Win2012 IIS/8.5 216.157.38.201 US DNN http://digitalbusiness.com/ VandaTheGod
http://www.gillspanshop.com/ 25/07/2019 Win2012 IIS/8.5 216.157.38.28 US DNN http://digitalbusiness.com/ VandaTheGod
www.digitaltassaapp.com 25/07/2019 Win2012 IIS/8.5 216.157.38.201 US http://digitalbusiness.com/ VandaTheGod
http://osha.gov.tt/ 25/07/2019 Win2012 IIS/8.5 64.239.71.123 US VandaTheGod, ErrOr SquaD
http://digitalpanapp.com 26/07/2019 Win2012 IIS/8.5 216.157.38.201 US VandaTheGod
http://www.sgrc.gov.tt/ 26/07/2019 Win2012 IIS/8.5 66.132.247.251 CA DNN http://digitalbusiness.com/ ErrOr SquaD
http://tenders.powergen.co.tt/ 26/07/2019 Win2012 IIS/8.5 216.157.39.195 US DNN http://digitalbusiness.com/ VandaTheGod
http://diwalidiyaapp.com 26/07/2019 Win2012 IIS/8.5 216.157.38.201 http://digitalbusiness.com/
Information compiled by Trinidad and Tobago Computer Society (https://ttcs.tt) using information from Zone H (http://zone-h.org)