The General Staff of the Armed Forces (EMGFA), commanded by the Chief of Staff, Admiral Silva Ribeiro, was the target of a “prolonged and unprecedented cyberattack” that resulted in the exfiltration of classified NATO documents.
The Portuguese government only found out because it was informed by the US Intelligence Services.through the embassy in Lisbon, with a communication that was made directly to the Prime Minister António Costa, last August.
According to sources who are following the case, considered to be of “extreme gravity”, it was US intelligence cyber spies that detected “at sale at darkweb hundreds of documents sent by NATO to Portugal, classified as Secret and Confidential”.
Confronted with this information, the official spokesperson for the US embassy in Lisbon, he does not deny it, limiting himself to saying: “We do not comment on intelligence matters”.
This cyber-crisis has been managed by Costa’s office, but several security-related structures are also actively involved, such as the National Security Office (GNS) and the Secret Outer (Defense Strategic Information Service) and Internal (Security Information Service).
However, despite having reserved competences in the investigation of cybercrime, the Judiciary Police (PJ), at least until yesterday afternoon, had not been involved – questioned by DN, declined to comment.
NATO will have demanded explanations and guarantees from the Portuguese government and, next week, on behalf of António Costa, they will go to NATO Headquarters, in Brussels for a high-level meeting at the NATO Office of Security, the Secretary of State for Digitization and Administrative ModernizationMário Campolargo, who oversees the GNS, and the Director-General of this Office, Vice Admiral Gameiro Marqueswhich is responsible for the security of classified information sent to our country.
EMGFA under suspicion
According to several Defense sources heard by the DN, after being alerted, experts from the GNS and the National Cybersecurity Center joined the military from the National Cyber Defense Center, located at the EMGFA, and carried out a full tracing of the entire Defense internal communications system.
From this first investigation, computers were identified mainly in the EMGFA, in the secret military (CISMIL) and in the General Directorate of National Defense Resources, from where the documents were exfiltrated, and it was found that they had been breached security rules for the transmission of classified documents.
This is because, underline the same sources, these entities have secure connections – the Integrated System of Military Communications (SICOM) – to receive and forward classified documents, but will have used the unsecured lines.
“It was a cyberattack prolonged in time and undetectablethrough bots programmed to detect this type of documents, which were then removed in several stages”, explained one of these sources.
Costa guarantees “Portugal’s credibility”
Asked about this crisis and what measures were being taken to ensure NATO’s confidence, official source of S. Bento assures that “the government can guarantee that the MDN and the Armed Forces work daily so that Portugal’s credibility, as a founding member of the Atlantic Alliance, remains intact”.
The same spokeswoman for António Costa stresses that “the exchange of information between allies on Information Security it’s permanent at the bilateral and multilateral levels. Whenever there is a suspicion of cybersecurity compromise of Information System networks, the situation is extensively analyzed and all procedures aimed at increasing cybersecurity awareness and the correct handling of information are implemented to face new types of threat. If, and when, a security compromise is confirmed, the subsequent investigation of whether disciplinary and/or criminal liability existed automatically determines the adoption of appropriate procedures.”
O Ministry of National Defensefor its part, stresses that “all cyberattacks on any public entity are subject to close coordination between the entities that, in Portugal, are responsible for cybersecurity. All signs of attempted intrusion or potential security breaches are investigated. and, if an incident occurs, the competent authorities are notified and the appropriate procedures are triggered“.
For its part, the GNS forwarded the response on its action to the Prime Minister’s office.
Since the PJ will not have been called to initiate the natural criminal investigation, remains to be seen whether any internal investigation has been launched to determine responsibilities in entities where it is assumed that there has been a breach of security.
Surveillance and counter-information
This is, by the way, one of the powers of the GNSwhich must ensure “the protection and safeguarding of classified information emanating from international organizations of which Portugal is a part”.
According to its organic law, whenever there is a suspicion or effective compromise, breach or breach of security, determine the opening of investigations and proceed with the respective instruction, indict those responsible and report, in accordance with the law, to the competent authorities.
It is not the first time that Portugal has been involved in a breach of the security of NATO documents. It also happened within the scope of the process of the former SIS spy, Carvalhão Gil – convicted of espionage in favor of Russia, in 2018 – when security flaws were detected in the secret in the processing of these documents. Portugal was subject to an inspection by the aforementioned NATO Office for Security.
Victor MadeiraNational Security Specialist and Research Associate at the Center for Information Resilience, UK, highlights that “this case, once again, demonstrates three essential pillars in the fight against hostile activities in the cyber domain.constant surveillance and situational awarenessboth updated regularly through state-of-the-art training and equipment for talented specialists in this field. Second, the fundamental importance of any state, truly sovereign, having effective counterintelligence functions – both in the more traditional domain of human espionage, as well as in the cyber domain. Without this critical foundation, all other state functions, and eventually sovereignty itself, crumble. Finally, a third pillar is the continuing importance of National Security and Defense alliances and partnerships. Without constant collaboration between allied security and information services, the threat landscape by hostile actors would be much worse. Especially in the cyber domain, where every second is precious.”
One order signed by the Minister of Defense Helena Carreiras, on August 5th, reinforces compliance with the Military Programming Law, in terms of Cyberdefense – whose budget execution was around 30% in 2021.
In this order, Helena Carreiras determines that, from 2022 to 2030, 11.5 million will be invested euros in “specialized training and consultancy services in cyber defense and the conduct of military operations in and through cyberspace”.
