Cyber Incident Victim: Armed Forces General Staff agency of Portugal
Date:
Sep 2022
Location:
Portugal
Summary
A cyberattack targeting Portugal's Armed Forces General Staff agency resulted in the theft of classified NATO documents, later offered for sale on the dark web. The breach was discovered only after hackers advertised stolen materials, prompting U.S. intelligence to alert Portuguese authorities, who initiated a network investigation. The prolonged, undetected intrusion involved bots designed to locate sensitive files, which were exfiltrated through non-secure channels despite air-gapped systems, indicating operational security failures. The leaked documents were deemed critically sensitive, posing risks to Portugal's military alliance credibility. Political pressure mounted for official hearings as lawmakers expressed alarm over the breach and intelligence shortcomings.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early September 2022, the Armed Forces General Staff agency of Portugal (EMGFA), responsible for controlling and planning Portugal’s armed forces operations, suffered a cyberattack resulting in the theft of classified NATO documents. The breach remained undetected until hackers posted samples of the stolen material on the dark web, advertising the files for sale. American cyber-intelligence agents identified the illicit sale and alerted the U.S. embassy in Lisbon, which subsequently notified the Portuguese government about the compromise. Upon receiving this external warning, Portuguese authorities mobilized a joint response team comprising experts from the National Security Office (GNS) and the national cybersecurity center to conduct a comprehensive network screening at EMGFA. Investigative sources described the attack as prolonged and undetectable, utilizing bots specifically programmed to locate and extract sensitive documents over multiple stages. Although EMGFA’s operational computers were air-gapped, the exfiltration occurred through standard non-secure communication lines, indicating a breach of operational security protocols.
The leaked documents were characterized by sources close to the investigation as being of "extreme gravity," with their public dissemination posing significant risks to Portugal’s credibility within NATO. No official public statement was issued by the Portuguese government following the breach, but political pressure intensified after local media outlet Diario de Noticias reported the incident. Members of parliament expressed astonishment at both the sale of classified military materials online and the failure of national intelligence services to detect the breach. Opposition lawmakers demanded urgent hearings through the parliamentary defense committee, urging its chairman, Marcos Perestrello, to expedite formal inquiries into the incident. The combination of undetected exfiltration, reliance on external alerts, and procedural violations highlighted systemic vulnerabilities in EMGFA’s cybersecurity posture, amplifying concerns over national security and alliance trustworthiness.