When a massive cyber attack wrecked everything from Swedish supermarkets to New Zealand kindergartens this month, a group of Dutch ethical hackers breathed a collective sigh of frustration. They had been so close to stopping it.
If the Dutch Vulnerability Disclosure Institute (DIVD) sounds opaque, it is because of its discreet presence on the Internet.
This volunteer army of unpaid tech geeks has quietly prevented hundreds of cyberattacks since 2019 by finding holes in websites and software that could be exploited by hackers.
“You can see us as a volunteer fire brigade,” said DIVD chairman Victor Gevers in an interview from his home in The Hague, a dog yapping at its ankles.
“Your house is on fire, there are flames, and then random people with Dutch accents show up and start putting out the fire.”
The bearded hacker refused to reveal his age, but he has been making these “responsible disclosures” for nearly two decades.
Best known is that he successfully accessed Donald Trump’s Twitter account – not once, but twice.
– ‘Oh God, why him?’ –
Just before the 2016 US election brought Trump to power, Gevers and two friends decided to make sure the then-candidate did not use a password that had previously been leaked online.
A giant hack by LinkedIn revealed that the password “yourefired” – Trump’s catchphrase from his time on The Apprentice TV show – was used on an account on his behalf on the business networking site.
And after trying the same password on Twitter next to several different email addresses, the Dutch hackers were appalled to see Trump’s personal page load in front of their eyes.
They rushed to brief Trump’s campaign and the US authorities, stressing that if they could access his account, so could more malicious hackers. But they never heard anything.
So when Gevers managed to hack Trump’s Twitter again last year – this time with the password “maga2020!” – his heart sank.
“Honestly, it was like, ‘Oh God, why him?'” Gevers recalled. He knew he would have to rigorously contact Trump again, which would likely be ignored – while leaving his account open to attack.
That was an alarming prospect. Trump’s feverish Twitter presence gave him a megaphone to address around 90 million people directly. And, as the violence in the US Capitol showed a few months later, his posts were able to stir up an inflammatory atmosphere.
“Imagine there was a tweet that said something like ‘start throwing axes at cops,'” said Gevers. “There would be many followers who followed him blindly.”
This time, instead of being ignored, Gevers’ hack made international headlines and a stressful criminal investigation.
Though the White House denied it ever happened, Dutch prosecutors said in December they were satisfied that Gevers had actually accessed Trump’s account.
And luckily for Gevers, they found that he “met the criteria developed in case law to become free as an ethical hacker”.
– Race against ‘the bad guys’ –
This law makes it easier for ethical hackers to operate in the Netherlands than in countries like the US or the UK, where forays into people’s accounts – even if well intentioned – involve greater legal risks, says Gevers.
He also founded the GDI, a similar “online fire service” that operates internationally from India to Portugal.
“We do this volunteer work because we have to leave something good behind for the next generation,” he said.
During the pandemic, volunteers became increasingly concerned about vulnerabilities in VPNs and other tools that allow computers to be managed remotely – tools that are increasingly used with no end to the home office trend in sight.
Kaseya, the Miami-based IT company that was hit by a spectacular cyber attack on July 3, has been the DIVD’s target for months. Thousands of companies use his software to manage their printer and computer networks.
DIVD colleague Wietse Boonstra had discovered a major problem with Kaseya’s software in April, and the ethical hackers had desperately helped the company come up with a solution.
To their dismay, the Russian-language hacker outfit REvil got there first. They took advantage of the vulnerability to launch a massive ransomware attack, encrypt the data of hundreds of companies and charge $ 70 million in Bitcoin in exchange for publication.
“It sucks,” said Gevers. “I don’t mind that the bad guys are faster – what bothers me is that there are victims.”
The hack hit around 1,500 companies worldwide and wiped out the tills of the Swedish supermarket chain Coop. Gevers continues to work with those affected.
“If the Red Cross can help victims around the world, why can’t we?” Gevers said. “The only thing is that we do it behind a keyboard.”
© 2021 AFP