Hundreds of NATO documents sent to Portugal discovered for sale on dark web
NATO headquarters in Brussels

Hundreds of NATO documents sent to Portugal discovered for sale on dark web

Case of “prolonged and unprecedented cyberattack” deemed of “extreme gravity”

The nerve centre of Portugal’s Armed Forces, EMGFA, has been the target of a “prolonged and unprecedented cyberattack” that resulted in the exfiltration of classified NATO documents, Diário de Notícias reports today.

According to the paper, Portugal’s government was informed by US intelligence services, through the US embassy in Lisbon, in a communication that was made directly to the prime minister, António Costa, in August.

The case is deemed to be of “extreme gravity”. US intelligence cyberspies detected “for sale on the darkweb hundreds of documents sent by NATO to Portugal, classified as secret and confidential.

The prime minister’s office is now handling the case, and has told State news agency Lusa that it has “nothing more to add” to the facts revealed so far.

A source said: “The government can guarantee that the Ministry of National Defence and the Armed Forces are working every day so that Portugal’s credibility as a founding member of the Atlantic Alliance remains intact.

The source added that “the exchange of information between allies in terms of security of information is permanent on a bilateral and multilateral level (…) Whenever there is a suspicion of compromising the cybersecurity of information system networks, the situation is extensively analysed and all procedures are implemented to reinforce cybersecurity awareness and the correct handling of information to face new types of threats.

“If, and when, a compromise of security is confirmed, the subsequent investigation on whether there was disciplinary and/or criminal responsibility automatically determines the adoption of the appropriate procedures.”

NATO is expecting “explanations and guarantees from the Portuguese government”. To this end a representative for the prime minister will be travelling to NATO headquarters in Brussels next week for “a high level meeting” with the organisation’s ‘Office of Security’.

Vice-Admiral Gameiro Marques is responsible for the security of classified information sent to our country, explains DN, so he is the logical choice to give explanations and guarantees. He is expected to be accompanied by the secretary of state for digitalisation and administrative modernisation Mário Campolargo.

EMGFA under suspicion

For now it looks like the ‘exfiltration’ (or hack) took place on EMGFA computers, principally those used by CISMIL (the department for military secrets) and the general directorate of resources of national defence.

Says DN, a preliminary investigation suggests “security rules for the transmission of classified documents had been broken”.

Sources have explained that ‘non-secure lines’ were used for the receipt and forwarding of classified documents, instead of the SICOM system in place (SICOM standing for Integrated System of Military Communications).

Other sources have suggested the attack itself was “prolonged in time and undetectable”, using specially crafted bots to search for the specific type of documents that were ultimately exfiltrated.

The “how”, the “why” and “by whom” is now what is under investigation, principally by the national office of security (GNS), External Secrets (the Serviço de Informações Estratégicas de Defesa), and the secret service (Serviço de Informações de Segurança). 

This is not the first time Portugal has been involved in a breach of security of NATO documents, but it does look like perhaps a much more serious situation this time.

Victor Madeira, National Security Specialist and Associate Researcher at the Center for Information Resilience, in the United Kingdom, highlights that “this case, once again, demonstrates three essential pillars in the fight against hostile activities in the cyber domain: constant situational awareness, both regularly updated through training and state-of-the-art equipment for talented specialists in this field. Second, the fundamental importance of any truly sovereign state having effective counterintelligence functions – both in the more traditional domain of human espionage, but also in the cyber domain. Without this critical foundation, all other state functions, and eventually sovereignty itself, crumble. Finally, a third pillar is the continued importance of National Security and Defense alliances and partnerships. Without constant collaboration between allied security and information services, the threat landscape by hostile actors would be much worse. Especially in the cyber domain, where every second is precious.”

Says DN: “An order signed by the Minister of Defense, Helena Carreiras, on August 5th, reinforces compliance with the Military Programming Law, in terms of Cyberdefence – whose budget execution was around 30% in 2021.

In the order, Helena Carreiras determined that from 2022 to 2030, €11.5 million will be invested in “training and consulting services specialized in cyber defence and in the conduct of military operations in, and through, cyberspace”.

[email protected]