For anyone who was tuned in to Expresso last Sunday, it must have been difficult to avoid being amazed. The newspaper announced on Twitter that someone with the exotic name Lapsus$ was the new president of Portugal. At the site, the news was different and the surprise, surely, even greater. THE homepage of the newspaper went black and in the center of the screen was a message, under that name again, Lapsus$: “The data will be leaked if the necessary amount is not paid. We have access to the dashboards cloud (AWS), among other types of devices. Contact for rescue is below.” The same happened in site of SIC, the television network that, like Expresso, is part of Grupo Impresa. A hijacking of unknown dimensions to the biggest newspaper and television with the biggest audience in Portugal was taking place live on the internet.
Despite the announcement, in full view of everyone, demanding a ransom, days passed and there was no follow-up behind the scenes. “This attack, contrary to what was reported, was not of the ransomware, and no payment request was made”, assumed the management of Grupo Impresa in a statement sent to its readers and viewers on Wednesday night. The hackers had in fact infiltrated the servers that Expresso and SIC use on Amazon Web Services (AWS) to, among other things, archive everything they publish, but they did not disclose a ransom amount or an account to where to transfer money.
With sites of Grupo Impresa below, a criminal investigation began on Sunday. What happened anyway? And who is behind this?
The investigators believe that the attack is not related to the proximity of the legislative elections or any other event and they rule out the scenario of having an ideological motivation or an economic interest behind.
At this point, with what they have already discovered, the Judiciary Police is convinced that it was simply the hackers’ ego that motivated them to enter the servers of SIC and Expresso. Without trying to extort money, they ended up destroying millions of internal newspaper and television files.
“The invasion of a large group of media it is a source of pride for them and a way to boast to their peers. These inorganic movements enjoy being able to enter and destroy. And it could be in Portugal or in any other country”, reveals a source close to the investigation, who recalls that just a month ago the same authors used the name Lapsus$ in the invasion they made in Brazil of the Ministry of Health’s computer system, after in May they attacked an electronic game company in the United States, Electronic Arts (EA).
“Money is a false issue. Now they didn’t even bother to change the message they had used in the attack on the Ministry of Health in Brazil. It was just a key message,” says a police source. And in Portugal, Brazil or the United States, no institution or company has disbursed any payment for the stolen data. “It was above all an act of computer sabotage, of destruction, since part of the files were deleted”, reinforces the same source. So far, inspectors from the PJ’s cybercrime unit, who have been at Impresa’s premises since the attack, have not yet been able to determine whether or not the destroyed files can be recovered.
The Judiciary Police, which requested the collaboration of Brazilian authorities and other countries in this case, outlined a profile of this group of hackers: “They dedicate themselves to scratching the dark web looking for ways to enter and destroy the computer systems of companies or state institutions that give them publicity for the attack. It’s a bit like groups of kids who vie over who robs the best bank or the best car.” Expresso knows that there are no Portuguese involved in the group, which will be made up of Spaniards and South Americans, with the intermittent collaboration of hackers Brazilians.
A crime against journalism
With the crime of extortion aside, the focus is now on what seems increasingly obvious both to PJ investigators and to some penalists heard by Expresso, such as Paulo Sá e Cunha and Paulo Saragoça da Matta: in addition to being in causes crimes such as computer sabotage and improper access, the destruction of files means that it was an attack on freedom of the press, punishable with a penalty that can go up to three years in prison for anyone who “prevents or disturbs the composition, printing, distribution and free circulation of publications” or “seize or damage any materials necessary for the exercise of journalistic activity”.
Luís Filipe Simões, president of the Union of Journalists, is emphatic: “It is evident that it was an attack on freedom of the press. It is, in fact, one of the biggest attacks on journalism since the 25th of April. A heritage such as the Expresso archive is at stake. It would be dramatic to lose this booty.”
For journalist Jacinto Godinho, a member of the secretariat of the Commission for the Professional Card of Journalists (CCPJ), this type of attack is “the most effective form of terrorism in the 21st century”, and in the case of the media, the fact that many historical memory archives and most of the footage that is made is stored in digital format makes it “very serious for this information to be appropriated or destroyed by organized crime”. Godinho emphasizes that, at this moment, “it is important to know more about whether there was a clear objective to attack Grupo Impresa and its ability to do journalism”.
For now, the PJ’s suspicions are that the entry of hackers in Impresa’s computer system was due to human error on the part of one or more employees who may have clicked on a hyperlink to a e-mail infected or downloaded pirated software. “It is necessary to have people trained and aware of the threats to be able to act as a first barrier”, says Francisco Nina Rente, a cybersecurity specialist. “Because the technological barriers can all be fine, but if the human being fails, the others won’t be worth much. It’s a matter of time.”
Investigators do not rule out the possibility that the attackers lodged inside Impresa’s servers several days before bringing the sites down on Sunday, buying enough time to prepare a large-scale sequential attack.
Despite leaving an apparent electronic trail through cyberspace, Portuguese authorities do not believe it is easy to reach criminals, as they use sophisticated tools to hide. In any case, PJ and cybersecurity experts heard by Expresso are peremptory in stating that Lapsu$ Group is not part of the so-called first division of hackers, led by Russian, Chinese or North Korean pirates, who often attack with state support. “It was a technically trivial attack that had no trivial consequences. It is a pure criminal business that has no ideologies”, defends José Tribolet, retired professor at Instituto Superior Técnico and founder of INESC.
Brazilian Filipe Soares, who worked for a decade as an officer at the Brazilian Intelligence Agency (Abin) and founded Harpia Tech, a cyber-intelligence company, knows this group of hackers well. “The group’s first activity took place in May of last year, when they took responsibility for a computer attack against Electronic Arts in a Russian forum. But they did not prove that they had done so. Just that they had a company database. They might have bluffed.”
In the attack on the Brazilian Ministry of Health in December, infrastructure was compromised. At the same time, there were also deconfigurations of pages of Brazilian police institutions and a hacking of the telephone operators Claro and Embratel. “They exposed 300 megabytes of internal data from the Ministry of Health, which appear to be authentic and not public”, says Filipe Soares. “It was the case that made them famous.” Until they exported, this week, that fame to Portugal.
Text: Hugo Franco and Micael Pereira
We wish to give thanks to the writer of this article for this outstanding content
Hackers: when the plan is to kill the messenger – Expresso