A theft of NATO documents of “extreme gravity” from the government of Portugal appears to have been caused by a breach in security protocol, allowing files that should have been air-gapped to be accessible via the internet. The documents later surfaced for sale on a dark web site.
Hundreds of documents were reportedly stolen and made available in this way, and the Portuguese government is facing tough questions about why the breach was not discovered for weeks. The incident was not discovered until United States intelligence came across the pilfered NATO documents on the dark web.
NATO documents stolen without Portugal’s knowledge, not detected until offered for sale
The NATO documents were taken from the Armed Forces General Staff agency of Portugal (EMGFA), the government body that essentially runs the country’s military. The breach is thought to have occurred sometime over the summer, but has not yet been pinpointed as the EMGFA was completely unaware of it until the documents surfaced on the dark web.
The NATO documents were not discovered by US intelligence until they had been sold via a dark web auction site. Agents notified the US embassy in Lisbon, which in turn notified the Portuguese government, which has ordered a complete screening of the EMGFA network to be conducted by the nation’s cybersecurity center and the National Security Office (GNS).
Inside sources told local Portuguese media that the stolen NATO documents were of “extreme gravity.” They are the type of documents that are required by protocol to be kept on air-gapped systems, but the sources say that bots programmed to scan for these sorts of documents picked them up via the internet. The attack was reportedly conducted over an extended period of time and in several stages. The Portuguese government has yet to comment on the attack or on these media reports.
If the reports are to be believed, the most likely cause is that someone connected the air-gapped systems to an internet-connected portion of the internal network for the sake of convenience.
John Vestberg, CEO of Clavister, sees this as a teaching moment for all NATO members: “While any kind of data breach is concerning, this effect is compounded wherever such sensitive documents are involved. The fact that it took weeks for the Portuguese authorities to be alerted by the US also signals an alarming lack of monitoring, or at the very least a failure to adhere to strong cybersecurity policy. Organisations like NATO must invest in ‘defence in depth’ by implementing multiple layers of defence, particularly given the current geopolitical tensions surrounding the ongoing war in Ukraine. On an individual level, a crucial element of this breach relates to upskilling staff and ensuring that rules and protocols are closely followed. In this case, classified documents were improperly transmitted and exfiltrated by sophisticated bots, which goes to show the extent to which cyber criminals will carefully orchestrate these attacks. Not only is the attack concerning on its face, it also sends a message to other threat actors that even the most sensitive documents can be compromised quickly and, in this case, covertly. Organisations and public bodies like the Portuguese department of defence need to ensure they deploy robust and crucially flexible security measures in future to mitigate against such breaches.”
Dark web sale of sensitive documents poses unknown risks to NATO
NATO policy is to not publicly discuss leaks of classified information, so there will likely continue to be uncertainty about this breach and subsequent dark web auction.
It is unclear if it is connected to the theft of the NATO documents in any way, but in early August Minister of Defense Helena Carreiras issued an order for an additional €11.5 million to be allocated to training and consulting services related to cyber defenses over the next eight years.
The incident raises fresh questions of NATO partner cybersecurity readiness shortly after an August hack of France’s MBDA Missile Systems saw classified intelligence documents stolen and sold on the dark web. MBDA manufactures missiles that are supplied by NATO and are currently being used in the Ukraine war. Reports indicate that an external hard drive belonging to one of MBDA’s suppliers was hacked; 80GB of documents surfaced on a dark web forum and were sold to at least one buyer at a price of 15 bitcoins. That breach appears to have included NATO documents rated “secret” and “classified,” but did not carry the top “cosmic secret” designation. A sample of the files indicated they were produced from 2017 to 2020.
NATO documents were also reportedly part of the wide-ranging 2020 data breach of the US federal government, which occurred through upstream technology partners such as Microsoft and SolarWinds. That attack has been attributed to Russia’s state-backed advanced persistent threat teams seeking intelligence rather than dark web criminal profiteers. The involvement of these relatively less sophisticated groups, which had previously steered clear of powerful government targets in the interest of not attracting too much law enforcement attention to themselves, is a concerning development.
Criminals have grown increasingly bold, with the Conti ransomware group threatening to “overthrow” the government of Costa Rica during a recent attack.
Sally Vincent, Senior Threat Research Engineer at LogRhythm, notes that there has a been a recent string of smaller attacks of this nature that demonstrate cyber criminals are losing fear of government reprisal and seeing money in stealing secrets that only nation-state advanced persistent threat groups used to be interested in : “The attack on EMGFA follows other recent attacks on government organizations. Just last month, the Dominican Republic Instituto Agriculturo and Argentina’s Judiciary of Córdoba suffered similar ransomware attacks—unfortunately, government agencies’ wealth of sensitive information makes them attractive targets for cybercriminals and this attack on EMGFA has dire consequences. The exposure of nation-state secrets on the dark web not only puts Portugal’s military credibility in jeopardy, but also undermines NATO security. Allegedly, the cyberattack occurred after EMGFA broke its operational security rules. To prevent a similar attack from occurring, organizations must develop robust regulations around their cybersecurity protocols and stick to them. Additionally, organizations should keep their prevention and detection technologies top of mind, ensure that they have the appropriate protective controls in place and verify that they have visibility into what is happening across their environment.”
NATO met in June to extend its cybersecurity collaboration efforts to partners in the Asia-Pacific region for the first time, in the interest of coordinating quick responses in the face of growing regional threats from both China and Russia. The organization also reaffirmed a 2021 decision that a cyber attack on one member state could be considered a violation of Article 5 of the North Atlantic Treaty, making it an attack against the body as a whole.