When a massive cyber attack destroyed everything from Swedish supermarkets to New Zealand kindergartens this month, a group of ethical Dutch hackers let out a collective sigh of frustration. They had come so close to stopping him.
If the Dutch Institute for Vulnerability Disclosure (DIVD) seems obscure, it matches its low-key internet presence.
This volunteer army of unpaid tech geeks has quietly prevented hundreds of cyber attacks since 2019 by finding holes in websites and software that could be exploited by hackers.
“You can see us as volunteer firefighters,” said Victor Gevers, president of DIVD, in an interview from his home in The Hague with a dog barking at his ankles.
“Your house is on fire, there are flames coming out of it, then random people with Dutch accents show up and start putting out the fire.”
The bearded hacker refused to give his age, but he has been making these “responsible disclosures” for nearly two decades.
Most famous is that he successfully accessed Donald Trump’s Twitter account – not once, but twice.
– ‘Oh my God, why him?’ –
Just before the 2016 U.S. election brought Trump to power, Gevers and two friends decided to make sure the then-candidate wasn’t using a password that had already been leaked online.
A massive LinkedIn hack revealed that the password “yourefired” – Trump’s slogan from his days on The Apprentice TV show – was used for an account in his name on the business networking site.
And after trying the same password on Twitter with several different email addresses, the Dutch hackers were horrified to see Trump’s personal page load up before their eyes.
They rushed to brief Trump’s campaign and US officials, pointing out that if they could gain access to his account, other malicious hackers could. But they never got an answer.
So when Gevers managed to hack Trump’s Twitter again last year, this time with the password “maga2020!” – his heart sank.
“Honestly, it was like ‘Oh my God, why him?’,” Gevers recalls. He knew he would have to make rigorous efforts to contact Trump again, which would likely be ignored – while leaving his account open to attack.
It was an alarming prospect. Trump’s feverish Twitter presence gave him a megaphone to speak directly to some 90 million people. And as the violence on the US Capitol showed a few months later, his messages were capable of fueling an incendiary atmosphere.
“Imagine there was a tweet that said something like ‘start throwing axes at the cops’,” Gevers said. “There would be a lot of followers who would follow him blindly.”
This time, instead of being ignored, the Gevers hack made international headlines and a stressful criminal investigation.
While the White House has denied that this ever happened, Dutch prosecutors said in December that they were confident Gevers had indeed accessed Trump’s account.
And luckily for Gevers, they determined that he “meets the criteria that have been developed in case law to break free as an ethical hacker.”
– Race against ‘the bad guys’ –
This law makes it easier for ethical hackers to operate in the Netherlands than in countries like the United States or the United Kingdom, where incursions into the accounts of people – even well-intentioned ones – present greater legal risks. , explains Gevers.
He also founded the GDI, a similar ‘line fire brigade’ working internationally from India to Portugal.
“We are doing this volunteer work because we have to leave something good behind for the next generation,” he said.
During the pandemic, volunteers became increasingly concerned about the weak points of VPNs and other tools that allow remote management of computers – tools increasingly used, endlessly in view of the trend to work from home.
Kaseya, the Miami-based IT company targeted in a spectacular July 3 cyberattack, had been under DIVD’s sights for months. Thousands of companies use its software to manage their printer and computer networks.
Another DIVD researcher, Wietse Boonstra, spotted a major problem with Kaseya’s software in April, and ethical hackers frantically helped the company develop a fix.
Much to their dismay, Russian-speaking hacking company REvil got there first. They exploited the vulnerability to stage a massive ransomware attack, encrypting the data of hundreds of companies and demanding $ 70 million in bitcoins in return for its release.
“It sucks,” Gevers said. “I don’t mind that the bad guys are faster – what bothers me is that there are casualties.”
The hacking affected around 1,500 businesses worldwide and wiped out the cash registers of the Swedish supermarket chain Coop. Gevers always works with the people concerned.
“If the Red Cross can help victims around the world, why can’t we? said Gevers. “The only thing is we’re doing it behind a keyboard.”
© 2021 AFP