Hackers take stand against Portuguese Justice “intent on punishing whistleblower”

Russian ‘hacker’ discovered selling data from Portuguese telecoms operator…

Just as stories have begun pointing to the involvement of Russia in the recent spate of cyberattacks in Portugal, SIC has reported that a Russian hacker has been identified as “selling illegal access to a Portuguese telecoms company with revenue of between one and four billion dollars”.

“I will hear your proposals” said his announcement, which proposed a starting price of 2500 dollars (around €2,100).

Could that operator be Vodafone? Or could it be Altice? Two days after the New Year hack of the Impresa Group (click here), a publication on Twitter announced a “loss of data en-masse” from the repositories of Altice, Portugal, writes Expresso – and the company neither confirmed nor denied it.

The timeline doesn’t necessarily fit for Vodafone – in that the ‘for sale’ announcement on the ‘dark web’ (the overlay networks that use the internet but require specific software because users seek anonymity) was trailed two weeks before last Monday’s hack.

Another ‘anomaly’ is that Vodafone has insisted none of its data was compromised.

For now, the PJ cybercrime unit and SIS (Portugal’s intelligence agency) are trying to work out which telecoms company the announcement refers to.

Expresso says tech experts are worried about a code he has revealed (Citrix + Local Admin) as it suggests he has managed to access the system (he is trying to sell) and has become a local administrator.

If that has happened, he “could have a lot of power eventually for damage”.

One aspect investigators appear to be fully agreed on is that the spate of cyberattacks so far this year have come from disparate sources. They are not the work of one group. This ‘fits’ the current narrative, in that so far the Lapsu$ group has only claimed the fairly devastating attack on the Impresa group (click here).

The worrying aspect is that the Vodafone attack was ‘massive’.

Says Expresso: “Specialists are unanimous: there has never been a cyberattack of the dimension that happened to Vodafone in Portugal. It was done with the clear intention to destroy and make recovery of operations difficult. The ‘blackout’, began at 9pm on Monday, and lasted one hour, but the effects will continue for some time, at least on an internal level and in the operation of the business – something that won’t be visible in service to customers.

“It was a violent attack to the very core of Vodafone in Portugal, unexpected and impactive” – an act of terrorism, in the words earlier this week of Vodafone executive president Mário Vaz.

As previous reports have explained, the attack affected almost five million users, including critical services like INEM, fire stations, courts, banking networks and the Post Office.

Damages are expected to come in the region of “millions of euros”, writes Expresso, citing Jorge Gomes of VOST Portugal (the association of volunteers in situations of emergency) comparing the attack to “closing a motorway on purpose, causing national roads to fill up to the point of creating traffic jams”.

“This attack is the closing of a motorway, with the consequence being congestion of national roads”, he said.

This was an odd analogy coming as it did days after police closed down a motorway causing absolute chaos for thousands of people returning home last weekend (click here).

But the bottom line, from every ‘source’, is that these incidents are likely to persist. Companies need to prepare themselves with anti-hacking software, and the PJ police needs to be given the technological know-how and human resources to make a difference.

Adding to the sense of urgency Diário de Notícias reports that a recent study by global insurance and risks consultants MDS has estimated that less than 1% of Portuguese companies have insurance protection against cyberattacks.

[email protected]