Cyber Incident Victim: Salvador, Bahai, Brazil

On January 20, 2022, a cyberattack targeted 20 websites belonging to the government of Bahia, Brazil, hosted by the state's data processing company Prodeb. The attackers defaced the sites, displaying a signature identifying themselves as "Shawdy Boy" – the same alias used in a December 2021 attack that disrupted 245 municipal websites in Santa Catarina state. Affected entities included critical state secretariats: Public Security, Civil Police, Administration, Equality, Infrastructure, Justice and Human Rights, and the Civil Office. Prodeb did not issue an official statement but confirmed to media that the attack didn't alter internal website structures or compromise public data through access, leaks, or deletion. Forensic evidence from defacement screens (revealed through the 'uname' command) indicated attackers obtained privileged server access. The government temporarily deactivated all compromised sites, initiating gradual restoration throughout the day.

Bahia's Public Security Secretariat (SSP) launched an investigation through the Civil Police with support from the Superintendency of Intelligence. The attackers registered their defacements on Zone-H, a platform documenting website vandalism, and also claimed responsibility for targeting government domains in Piauí state. This group previously operated as "$hawty Boy" during the Santa Catarina incident, maintaining connections to a Twitter account "@PrCyberMafia" (Paraná Cyber Mafia). While Prodeb asserted no data exfiltration occurred, the repeated use of attacker infrastructure across multiple states demonstrated persistent targeting of Brazilian government entities. Restoration efforts prioritized returning sites to operational status without public disclosure of technical remediation measures or attribution conclusions.