Open security lock on computer circuit board showing NATO data theft

Alleged NATO Data Theft Leaked Hundreds of Sensitive Documents and Thousands of User Records

The Northern Treaty Organization (NATO) military alliance is investigating an alleged data theft by a hacktivist group SiegedSec.

The threat actor claims to have breached the Communities of Interest (COI) Cooperation Portal and stolen hundreds of sensitive documents intended for NATO countries and partners.

SiegedSec said the data breach was unrelated to the ongoing conflict between Russia and Ukraine. Instead, it was a response to NATO’s human rights violations and because it was “fun to leak documents.”

NATO data theft seems legitimate

Threat intelligence firm CloudSEK analyzed the 845 MB of compressed data leaked and found unclassified information and 8,000 employee records from 31 nations.

The leaked data contained names, business email addresses, home addresses, companies and units, working groups, job titles, and photos. Additionally, CloudSEC discovered 20 unclassified documents, with SeigedSec claiming up to 700. Some leaked files were several years old, while others were as recent as July 2023.

Although the nature of the information in most leaked documents remains a mystery, some had a list of software used by NATO, vendor details, and version numbers.

Acknowledging daily attempted breaches by various threat groups, NATO said the alleged data theft was under investigation. Additionally, its engineers were working to strengthen its ability to prevent, detect, and respond to such incidents, and mitigations were in progress.

“NATO cyber experts are actively looking into the recent claims associated with its Communities of Interest Cooperation Portal,” the military alliance spokesperson said. “We face malicious cyber activity on a daily basis and NATO and its allies are responding to this reality, including by strengthening our ability to detect, prevent and respond to such activities.”

However, the alleged data theft did not impact NATO operations, and its “classified networks” were unaffected.

Nevertheless, the sensitive information leaked could have serious security implications for the impacted individuals.

SiegedSec has not disclosed how it breached NATO’s COI portal, but CloudSEK anticipated it acquired user account information via stealer logs.

“Over the last few months there have been claims by multiple groups of NATO leaks but the screenshots they’ve provided look legitimate,” said Rosa Smothers, former CIA Cyber Threat Analyst and current SVP of Cyber Operations at KnowBe4.

SiegedSec targets organizations indiscriminately

Since February 2022, SiegedSec has leaked documents, emails, and databases from over 30 organizations worldwide and defaced over 100 domains.

Its most vocal member YourAnonWolf was an active Breached Forums contributor. The group’s posts usually include vulgarity of varying degrees, from juvenile to outright distasteful.

In February 2023, SiegedSec claimed responsibility for Atlassian data theft via a third-party resources coordination app Envoy that leaked personal information and floor plans of Sydney and San Francisco offices.

SiegedSec indiscriminately targets organizations without any obvious geopolitical preference and claims the latest NATO data theft had nothing to do with the Russia – Ukraine War.

“We’d like to emphasize this attack on NATO has nothing to do with the war between Russia and Ukraine, this is a retaliation against the countries of NATO for their attacks on human rights (- Also, its fun to leak documents ^w&^),” posted SiegedSec.

However, its double standards on human rights violations raises serious doubts about its alleged neutrality.

“Interesting that they targeted NATO for what they claim are human rights abuses, yet there’s no indication they’ve attacked the Russian government,” Smothers noted.

Seemingly, the alleged NATO data theft was an opportunistic cyber attack rather than targeted hacktivism in support of human rights.