Who is Zambrius, the Portuguese hacker who gained access to important state structures?

He entered the system that manages the Brazilian elections and was sentenced to six years for hacking Benfica and Altice, in 2020. Pending the outcome of the appeal, the hacker returned in April by making public several accesses to some of the most important structures of the Portuguese state

“There is always something happening in the suburbs of the internet,” says the hacker who, at 19, had already hacked into some of the biggest companies and public infrastructures in Portugal and Brazil.

With a group of hackers he led Cyberteam, Tomás Pedroso, known to the Internet world as Zambrius, gained access to Benfica’s computer systems, obtained some of Altice’s most confidential data, as well as the network which supports the Brazilian electoral system and the three branches of the General Staff of the Armed Forces. However, at the age of 21, pending the outcome of the appeal he presented against the six-year prison sentence to which he was sentenced, the pirate showed that he had accessed the Garcia hospital in Orta (at least 16 days before the ransomware attack), the patient transport service ARS Centro, the platform that manages the financial resources of the SNS and the application that stores the national examinations.

Sensitive public services are hacked by hackers: the armed forces, health and education are vulnerable

However, this young man’s journey into the most hidden places on the Internet began years ago. At just 16, he dominated the computer world to such an extent that he had already managed to access some of the platforms of the highest state structures, such as the Judicial Police or the General Prosecutor’s Office, alongside other members of the CyberTeam. He will end up being caught and detained by the authorities, being interned for two years in an educational center.

Attack on the Brazilian elections

With other hackers, the young man who will have difficulty socializing and lack attention, as reported in the prosecution’s indictment, took advantage of his house arrest, between May and November, to access the network Oracle which managed data from the Brazilian Superior Electoral Tribunal (TSE) during the first round of municipal elections. At CNN Portugal, the hacker admits having accessed the network, but rejects the accusation of having manipulated information which had caused changes during the elections.

“I did not manipulate any information, although I had access to the computers and databases of the multinational Oracle, responsible for electoral processing,” he wrote to CNN Portugal.

He was arrested by the judicial police in November 2020, during a joint operation with the Brazilian authorities, where three young people were identified and detained “for the continuous practice of crimes of abusive access, computer damage and computer sabotage “.

The Zambrius name has gained prominence since then, becoming known for hundreds of DDOS attacks, which flood servers and render them inoperable, website downgrades, which damage internet pages, and SQL-Injection, where it operates website vulnerabilities to give commands.

Currently, Tomás Pedroso is free pending the appeal of the six-year prison sentence, with the obligation to appear twice a week and the ban on leaving the country. He was charged with 28 misdemeanors of aggravated unlawful access, misuse of data and computer damage.

Attack on Benfica and Altice

In the court judgment which has now found him guilty of computer crimes, the hacker was accused of having invaded the website of telecommunications operator MEO, Altice. The prosecution believes that Tomás managed to access the company’s databases and “exfiltrated data, including name and address, of customers contained in sales tables and door-to-door sales employees. -port”. In total, Zambrius had access to more than 123,325 company data, including name, address, mobile number and the companies they work for.

Another of the Portuguese youngster’s abusive accesses took place in March 2020, when he managed to enter the MyBenfica portal, used as the back office for the Fundação Benfica website, which was used by the site administrators for the content management and introduction. Then the hacker made available the credentials of 114 club workers.

Hacktivism or cybercrime

In the prosecution’s indictment, the practices carried out by the hacker are described as “illicit of a cybernetic nature”, which the young man describes as hacktivism, “as a form of political protest carried out by cybernetic invasion and incitement to civil disobedience”. ”. ”. Thus, in the company of “unidentified individuals”, the young man explored various public and private systems, “evolving privileges and causing configuration changes to the databases associated with the respective sites or other functionalities”.

This was the case during the attack on Jornal da Madeira, in which Zambrius caused the newspaper’s website to be re-branded, inserting an image of an individual with his face covered, wearing a balaclava and working on a computer, along with a message against the politician André Ventura, president of Chega! : “Hacked by Cyberteam (…) CyberTeam was there! #antiventura André Ventura who f…! The system that f…! Ps: I no longer have the patience to write a cute text with fancy words!”

The Portuguese Association of Football Referees (APAF) has not escaped CyberTeam either. The hacker managed to modify the image of the site, which now displays a photograph of Rui Pinto, with a message in which the group questions the investigation carried out by the Portuguese authorities, who did not take into account the information made public on the Football Leaks website. “What is Portugal doing to fight corruption in football? “wrote the group.

The prosecution specifies that when the young man succeeded in attacking a target, he proceeded to copy and “exfiltrate information contained in the databases”, finally claiming responsibility for the attacks on social networks.

cyber team

In CyberTeam’s history of attacks, there are hundreds of large-scale intrusions, including EDP. On April 13, 2020, the Portuguese electricity company was the target of a cyberattack that severely affected customer service systems. The claim came the next day, via Twitter, where the hackers threatened to attack Altice and carry out a full-scale attack on April 25 this year.

At the time, they said in a Facebook post that around 80% of Portuguese websites could be edited by the group. The hacking collective also claimed to have “access to several important systems in the private and public sector, including some courts, clubs, private companies” and added that “if necessary” they would hack into a television network.

At CNN Portugal, the young man assures that the group of hackers he helped to found is inactive.

the return

All you need is a smartphone, and with time and patience you can find vulnerabilities and exploit them. This is what happened with the loopholes he found in April this year, when he published on Twitter a series of visits to various platforms critical of the Portuguese state, including a page of the Garcia de Orta Hospital, the ARS Centro patient transport platform and the National Examination Jury.

Responding in writing to CNN Portugal, who asked him about the motivations for what Justice has already considered to be crimes, the hacker affirms that these attacks only serve “to notify” the authorities of the weaknesses that exist in the networks, claiming to be available to share the vulnerabilities of these systems with the network administrator. The hacker justifies the emphasis on health, education and defense by saying that they serve to demonstrate that these areas “that hackers normally seek out for profit” are not secure.

When asked if he would be available to work with the authorities to find and fix flaws in the Portuguese state’s critical systems, Tomás Pedroso responds with a question: “Why not?”.

Another of the hacker’s targets were dozens of servers from the three branches of the General Staff of the Armed Forces (EMGFA). Two years after successfully breaking into these platforms and being tried for it, the hacker claims to have been able to access the same servers again, through the same vulnerabilities found in the past. To CNN Portugal, an official EMGFA source said that the 2020 vulnerabilities “have been analyzed and the measures deemed appropriate have been taken”.

“There are a multitude of attack options within servers. An attacker can steal information from users and use it to sell or for their own use, such as accessing ATMs or even bank accounts, can apply phishing scams, inject ransomware to demand ransom, use the victim’s server for future attacks or mining bitcoins, the attacker grabs the target as if he owns it; in short, the attacker can completely manipulate the network and do whatever they want with it,” the hacker explains.

Leave a Comment