Early on Thursday, hundreds of Portuguese who came to take a coronavirus test sensed that something was wrong. In many of the centers, the health workers could not establish a connection with the computer system of the laboratories. Finally they had to cancel all the tests and ask patients with an appointment to find other means to perform it. The Germano de Sousa company, the main clinical analysis laboratory in Portugal, had suffered a cyberattack. One more, those affected must have thought.
Three days earlier, another hack had brought down the Vodafone network in Portugal, affecting four million customers (in a population of 10 million). He blocked data services, mainly 4G and 5G, fixed voice, television, SMS and answering machines. The company described it as a “terrorist act” because it seriously affected clients such as the National Institute of Medical Emergency (INEM), fire departments or banking entities, which had to enable emergency channels in order to operate.
“It is not an attack directed at the systems. It is an attack directed at the network with the purpose, surely voluntary, intentional, of leaving our clients without any service”, denounced the executive director of Vodafone in Portugal, Mário Vaz. Neither the operator nor the Germano de Sousa laboratories have evidence that theft of personal data from users or patients has occurred, they have assured.
These two cyberattacks are the last two in a list of offensives that have intensified this 2022. “Police sources tell us that it is unprecedented that so many attacks occur in such a short time and with such an impact, with five or six very important companies affected”, explains to elDiario.es Hugo Franco, a journalist for the weekly Express. “This for us is a new phenomenon, because last year there were many attacks but not as important as the ones that are taking place at the beginning of 2022.”
Franco tells it first-hand. Expresso it has been one of several media outlets affected by the plague. At the beginning of January, a cyberattack brought down its systems and forced the weekly to publish its contents on Facebook. Days later they managed to set up a provisional website, although without audiovisual content or the possibility of preparing content only for their subscribers. It is possible that the weekly, whose first publication was in 1973, has lost its newspaper library forever. “We are trying to find out if the hackers also destroyed those files,” says the journalist.
The private television channel SIC, belonging to the same publishing group that Expresso, is also operating from an emergency website. Other media have suffered hacking attempts, although they have managed to resist. The Lapsus$ cybercriminal group has claimed responsibility for these attacks, based on ransomware, which encrypts the victim’s files, hijacks their computer system and demands a ransom for release. It is suspected that the same organization is behind the attack on the website of the Portuguese Parliament, which paralyzed it for several hours on election day on January 30.
“The judicial police believe that in principle there is no relationship between the attacks, although it is not definitive. It is still too early to draw conclusions, but the indications are that there are no major points in common between them,” Franco explains. “The investigators do not believe that it is an organized campaign against Portugal,” he reveals.
One of the lines of investigation that the Portuguese authorities are following leads to one of the main nests of cybercrime and the focus of the ransomware industry. “The Judicial Police is following a lead, since a hacker published on January 24 in a Russian forum that he was selling access to the computer system of a large Portuguese telephone company. Investigators suspect that it may have been Vodafone,” he says. journalist.
The experts consulted by this means agree with the opinion of the Portuguese police. “There is no orchestrated campaign against Portugal,” says Josep Albors, director of research at ESET Spain, an international cybersecurity firm with a presence in the Portuguese country.
“We have to take into account that there are more and more targeted attacks, at all levels and in all countries. This time it has been the case that Portugal has been hit hard several times in such a short space of time that causes the alarms to have gone off, but there is no correlation between these attacks that indicates that there is a group behind it that has Portugal as its objective,” he details.
The only point of union is Lapsus$, an attacker confirmed in the cases of the media, but not in the rest of the offensives. “It has also attacked organizations in Latin America, especially in Brazil. The language coincidence means that this group of attackers has made the leap to Portugal,” says Albors. Vodafone and the Germano de Sousa laboratories have not yet revealed whether the cyberattacks they have suffered this week have been based on ransomware or another type of weapon.
Language is one of the factors that makes it easier for cybercriminals to expand their attack areas. The groups that operate from Brazil and its area of influence are specialized in banking Trojans and information theft, explains the expert. In recent times they have increased the ambition of their attacks, even reaching Spain with impersonations of the Post Office or transport companies.
“Until not long ago they were considered second class groups because they moved only in their region and their tactics were not particularly advanced,” continues Albors. “They relied more than anything on deceiving the user to achieve their goals. But for a couple of years, just before the pandemic began, they began to innovate and develop increasingly elaborate campaigns, which can also be perfectly identified by a user who more or less trained, but whose hooks were becoming more personalized”.
However, in ransomware cases, the focus “is usually Eastern countries.” There are the malware developers, who then sell it to local groups that design the hooks with which to infect organizations in their environment. It is an industry with a high degree of professionalization. And although the authorities can sometimes track down these local actors and hunt them down, that rarely happens with the groups of developers, who also cease their activity and cover their tracks if they feel they are being watched. To return shortly after with another name and another ransomware to sell, of course.
“One of the problems that we are seeing lately is that anyone, without having any knowledge, can go to a forum, buy a kit and try to harm small, medium or even large companies if they do not have the recommended security measures applied. “, reveals the expert.
The wave of cyberattacks against Portugal seems to be a union of all these factors. The country’s cybersecurity is not in a bad position internationally, ranking 14th in the world and placing in the top 10 in Europe in the latest Global Cybersecurity Index, in which Spain ranked fourth.