NATO documents stolen in breach of Portuguese forces found for sale on dark web

A theft of “extremely serious” NATO documents by the Portuguese government appears to have been caused by a security protocol breach, allowing files that should have been air-gapped to be accessible via the Internet. The documents later surfaced on a dark website for sale.

Hundreds of documents have reportedly been stolen and made accessible in this way, and the Portuguese government is facing difficult questions as to why the breach went undetected for weeks. The incident was only discovered when the United States Secret Service discovered the stolen NATO documents on the dark web.

NATO documents stolen without Portugal’s knowledge, only discovered when put up for sale

The NATO documents come from the General Staff Agency of the Armed Forces of Portugal (EMGFA), the government agency that essentially runs the country’s military. The breach is believed to have occurred sometime over the summer but has not yet been pinpointed as the EMGFA was unaware of it until the documents surfaced on the dark web.

The NATO documents were only discovered by US intelligence after they were sold through a dark web auction site. Agents notified the US Embassy in Lisbon, which in turn notified the Portuguese government, which ordered a full review of the EMGFA network by the National Cybersecurity Center and National Security Office (GNS).

Inside sources told local Portuguese media that the stolen NATO documents were of “extreme gravity”. They’re the type of documents protocol requires them to be kept on air-gap systems, but the sources say bots programmed to scan for these types of documents picked them up over the internet. The attack was reportedly carried out over an extended period of time and in several phases. The Portuguese government has not yet commented on the attack or these media reports.

If the reports are to be believed, the most likely cause is that someone connected the air-gap systems to an internet-connected part of the internal network for convenience.

John Vestberg, CEO of Clavister, sees this as a lesson for all NATO members: “While any kind of data breach is worrying, this effect is amplified when dealing with such sensitive documents. The fact that it took weeks for Portuguese authorities to be alerted by the US also signals an alarming lack of surveillance, or at least a failure to adhere to strict cybersecurity policies. Organizations like NATO need to invest in “defense in depth” by implementing multiple layers of defense, especially given the current geopolitical tensions surrounding the ongoing war in Ukraine. At an individual level, a critical element of this violation involves staff training and ensuring that rules and protocols are followed closely. In this case, secret documents were improperly delivered and exfiltrated by sophisticated bots, showing the extent to which cyber criminals carefully orchestrate these attacks. Not only does the attack look worrisome, it sends a message to other threat actors that even the most sensitive documents can be compromised quickly, and in this case covertly. Organizations and public bodies such as the Portuguese Ministry of Defense need to ensure that they deploy robust and highly flexible security measures to deter such breaches in the future.”

Dark web selling of sensitive documents poses unknown risks for NATO

NATO policy is not to discuss leaks of classified information publicly, so there is likely to remain uncertainty about this breach and the subsequent dark web auction.

It’s unclear if it’s linked in any way to the theft of the NATO documents, but in early August, Defense Minister Helena Carreiras issued an order for an additional €11.5 million to be made available for cyber defense-related training and advisory services next eight years.

The incident raises new questions about NATO partners’ cybersecurity preparedness, shortly after a hack of France’s MBDA missile system in August saw classified intelligence documents stolen and sold on the dark web. MBDA manufactures missiles supplied by NATO and currently used in the Ukraine war. An external hard drive from a vendor was reportedly hacked by MBDA; 80GB of documents surfaced on a dark web forum and were sold to at least one buyer for 15 bitcoins. This breach appears to have included NATO documents classified as “Secret” and “Classified” but not carrying the highest designation of “Cosmic Secret”. A sample of the files indicated that they were created between 2017 and 2020.

NATO documents were also reportedly part of the US federal government’s sweeping data breach in 2020, carried out by upstream technology partners like Microsoft and SolarWinds. This attack was attributed to Russia’s state-backed Advanced Persistent Threat Teams looking for information, not criminal profiteers on the dark web. The involvement of these relatively less experienced groups, who previously steered clear of powerful government targets to avoid drawing too much law enforcement attention, is a worrying development.

Criminals are getting bolder, with ransomware group Conti threatening to “overthrow” the Costa Rican government during a recent attack.

Sally Vincent, Senior Threat Research Engineer at LogRhythm, notes that there have been a number of smaller attacks of this nature recently, showing that cybercriminals are losing fear of government reprisals and are making money from stealing secrets that previously only interested nation-state advanced persistent threat groups : “The attack on EMGFA follows other recent attacks on government organizations. Just last month, the Instituto Agriculturo of the Dominican Republic and the Argentine Judiciary of Córdoba suffered similar ransomware attacks – unfortunately, the wealth of sensitive information held by government agencies makes them attractive targets for cybercriminals, and this attack on EMGFA has dire consequences. The disclosure of nation-state secrets on the dark web not only endangers Portugal’s military credibility, but also undermines NATO’s security. Allegedly, the cyber attack happened after EMGFA violated its operational security rules. To prevent a similar attack from occurring, organizations must develop and adhere to robust regulations for their cybersecurity protocols. Additionally, organizations should keep an eye on their prevention and detection technologies, make sure they have adequate protections in place, and make sure they have visibility into what’s going on around them.”

NATO met in June to extend its cybersecurity cooperation efforts to partners in the Asia-Pacific region for the first time to coordinate rapid responses in the face of growing regional threats from both China and Russia. The organization also reiterated a 2021 ruling that a cyberattack on a member state could be considered a violation of Article 5 of the North Atlantic Treaty, making it an attack on the facility as a whole.

Comments are closed.