Portugal's Major News Websites Remain Offline After AttacksImpresa Group Turns to Provisional Websites Following Ransomware Strike
Impresa Sociedade Gestora de Participacoes Sociais SA, Portugal's largest media conglomerate and parent company of Portuguese newspaper Expresso and SIC TV channel announced that a cyberattack on its news websites on January 2 has "seriously hampered its mission to inform readers and spectators."
Impresa says that the websites of Expresso, SIC and the Blitz magazine are temporarily unavailable, impeding its ability to report news from Portugal. In its effort to recover from Sunday's cyberattack, the media group has launched a temporary website: Expresso.pt.
The Impresa group, in its statement, says that it is collaborating with authorities to resolve the situation at the earliest opportunity and guarantees delivery of its next weekly edition.
In the wake of the cyberattack, several readers and publications, such as CNN Portugal and Publico, expressed solidarity on Twitter and Facebook with Expresso's new motto #liberdadeparainformar, which translates to "Freedom to Inform".
Online media outlet The Record reports that the Lapsus$ ransomware group has claimed responsibility for the attack that impacted Impresa's IT server. The attack knocked Expresso and SIC websites offline, in addition to SIC’s internet streaming service.
Following takeover of the Expresso and SIC websites, the Lapsus$ group posted a ransom note in Portuguese which translates to: "The data will be leaked if the required amount is not paid. We have access to their cloud dashboards (AWS), among other types of devices." This was followed by the Lapsus$ group' Telegram ID and email address.
Soon after, the Lapsus$ group posted from Expresso's official Twitter account saying "Lapsus$ is officially the new president of Portugal."
A report by news agency Reuters also says that the Lapsus$ group sent a phishing e-mail to Expresso subscribers.
The Impresa group has not responded to Information Security Media Group's request for information on the nature of intrusion or demands made by the ransomware group.
The Lapsus$ Ransomware Group
Avkash Kathiriya, vice president of research and innovation at cybersecurity firm Cyware tells ISMG that the Lapsus$ group hit the limelight in December 2021 following a ransomware attack on websites owned by Brazil's Ministry of Health. The group claimed to have stolen and subsequently deleted around 50TB of data from the ministry’s systems.
Following the cyberattack on Brazil’s health ministry, Lapsus$ also claimed to have breached Brazilian telecom provider Claro and allegedly gained access to a "gargantuan data trove" of 10,000TB, according to Kathiriya.
Kathiriya says that based on the messaging on its website and Telegram channel, the group is financially motivated and does not seem to be focused on any particular industry. The group initiated its Telegram channel on Dec. 10, 2021, as a medium to expose its victims and provide evidence of breaches.
"Targeting Portuguese-speaking countries and usage of the Brazilian Portuguese dialect in its messages hints at the fact that the group may be based in Brazil," says Kathiriya.
He points out that in most of its attacks, the Lapsus$ group claimed to have gained access to cloud-based servers and applications of the targeted organizations, such as AWS instances and VMware vCenter servers, but so far it is unclear which malware is being used by the group.
News Outlets Under Attack - 3 Ransomware Hits in 3 Weeks
The cyberattack on Impresa is the third security incident in the news publication space in just three weeks - all three incidents were the result of ransomware attacks and all of the affected news websites were knocked offline for an extended period.
An incident very similar to Lapsus$ group's ransomware attacks on Expresso and SIC websites occurred on December 28, when a ransomware attack on Norway-based media company Amedia brought its presses to a halt.
According to a report on Digi.no, Amedia's executive vice president of technology, Pål Nedregotten, said in a press conference that a "known security hole in Windows" was exploited and that impacted Amedia's Windows servers.
Preceding Amedia's ransomware incident, the Philippines' biggest and oldest television broadcaster, ABS-CBN, fell prey to a cyberattack on December 11. According to local media organization Rappler, ABS-CBN's News website was targeted by a distributed denial of service or DDoS attack.
As with Portugal's Impresa group, ABS-CBN was also forced to push its news updates through its social media channels.
A report by cybersecurity company Fortinet says that media companies using outdated software and ineffective authentication and verification procedures coupled with an ever-increasing attack surface gives hackers a range of options to attack their digital infrastructure.
Fortinet advises media firms to apply least privilege access, deploy multi-factor authentication and run backups frequently along with regular pen-testing and patching exercises.
In a 2015 cyberattack which resulted in a dozen TV5 Monde channels blacking out simultaneously, IT company Atos found that TV5 Monde multimedia servers had their remote desktop protocol ports exposed to the internet and the staff was using default usernames and passwords.
Using social engineering, hackers targeted TV5 Monde's journalists and were eventually successful in penetrating the network through a Trojan and deploying malware in TV5 Monde's IT infrastructure, following which they were able to create accounts with administrator privileges.