An unknown attacker has stolen hundreds of sensitive and classified NATO documents from the government of Portugal, and no one was aware of it until the files popped up on the dark web for sale some weeks later.
This very serious breach appears to have originated with a failure to keep documents that are supposed to be air-gapped away from internet-connected systems. The Portuguese government apparently would not have even been aware that the trove of NATO documents had been pilfered if United States intelligence agents had not noticed them during routine monitoring of dark web auction sites.
Classified NATO documents appear on dark web, could have been sold to anyone
Little information is available to the public about the stolen NATO documents as the organization does not disclose details about thefts, but it appears that at least a month elapsed between the break-in and the discovery of the dark web offer. It is unknown who (or how many) parties may have purchased the documents.
There has been an increased focus on the theft of NATO documents since the invasion of Ukraine began early this year, with an August breach of a contractor for a French missile designer yielding about 80GB of documents that also surfaced on the dark web and were taken by at least one buyer. The fact that the documents went public at all points toward criminal groups stealing them for profit, but likely with the knowledge that government intelligence agencies will be interested in buying them for high prices. Russia has shown a definite interest in NATO documents, targeting them during exploitation of the 2020 breaches of SolarWinds and Microsoft.
Attackers are also generally showing less fear of government reprisal, willing to exploit vulnerabilities wherever they might find them. These have mostly been ransomware attacks, but attackers have proven willing to exfiltrate classified documents and sell them on the dark web when the opportunity presents itself. Increased threat activity has prompted NATO to collaborate on cybersecurity with members in the Asia-Pacific region for the first time.
Serious lapse of security awareness in loss of Portugal NATO documents
It is not known what was in the NATO documents, but they appear to have been taken from the agency that runs Portugal’s military, the Armed Forces General Staff (EMGFA). They are also apparently at a level of sensitivity that requires them to be kept on air-gapped systems, something that did not happen for an unknown reason. The attack was apparently initiated by bots that scan the internet for these sorts of documents, indicating that it is possible they were sitting on an internet-facing system with either no or minimal protection from intrusion. This theory would also explain why the government did not notice a breach; a breach may not have been necessary to retrieve them.
There is obvious concern not just over the lack of security for these sorts of sensitive documents, but the lack of awareness of a breach for such a long period of time. The incident has no doubt prompted cybersecurity training reviews throughout the organization, and may trigger a review of NATO security protocols.