Cyber Incident Victim: Impresa
Date:
Jan 2022
Location:
Portugal
Summary
A Portuguese media conglomerate suffered a major cyberattack by the Lapsus$ group, disrupting online operations of its prominent newspaper and television broadcaster. The attackers compromised the company's Amazon Web Services infrastructure, defaced websites with ransom threats, sent phishing emails to subscribers, and hijacked verified social media accounts to demand payment while threatening data leaks. Critical services including websites and streaming platforms remained offline following the intrusion, though traditional broadcasts continued. The incident—described as an unprecedented attack on digital press freedom—marked the group's first known intrusion in Portugal, following prior attacks against Brazil's Health Ministry and telecommunications providers. Authorities and cybersecurity agencies were notified as the organization maintained news distribution via alternative social media channels during recovery efforts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Lapsus$ ransomware group launched a cyberattack against Impresa, Portugal's largest media conglomerate, during the New Year holiday period in late December 2021 to January 2022. The attack targeted Impresa's online IT server infrastructure, specifically impacting its ownership of Expresso newspaper and SIC TV station—the country's most circulated weekly periodical and dominant television broadcaster. Attackers defaced all Impresa-owned websites, including those of Expresso, SIC, and subsidiary channels, replacing content with a ransom note threatening to leak internal data unless payment was made. The message included contact details via email and Telegram. Lapsus$ claimed access to Impresa's Amazon Web Services (AWS) account, which facilitated the defacements and disruption. The group further demonstrated persistent access by sending a phishing email to Expresso subscribers and hijacking the newspaper's verified Twitter account to post messages reinforcing their control. While traditional TV broadcasts via national airwaves and cable continued unaffected, the attack disabled SIC's internet streaming capabilities and rendered all Impresa group websites offline, displaying "temporarily unavailable" maintenance notices from January 1 onward.
Impresa reported the incident to Portugal's criminal investigation police agency (PJ) and the National Cybersecurity Center (CNCS), announcing plans to file a formal complaint. The company briefly regained control of its AWS infrastructure on January 1, temporarily shifting websites to maintenance mode, but Lapsus$ countered by tweeting from Expresso's account to prove ongoing compromise. CNCS coordinator Lino Santos confirmed this was the first recorded Lapsus$ attack in Portugal. Impresa described the incident as an "unprecedented attack on press freedom in the digital age" and shifted news dissemination to social media channels while restoring services. The conglomerate declined to comment on ransom negotiations or operational specifics. Prior to targeting Impresa, Lapsus$ had compromised Brazil's Health Ministry in December 2021, disrupting COVID-19 vaccination systems, and telecommunications firms Claro and Embratel. The attack marked one of Portugal's most significant cybersecurity incidents due to Impresa's market dominance—SIC channels held the highest TV ratings, while Expresso led weekly circulation—and the broad disruption across its digital properties. Restoration efforts continued as of January 2, with no public confirmation of data leaks or resolution timelines.