This article is more than 1 year old
NATO probes hacktivist crew's boasts of stolen portal data
'Gay furry hackers' say it's in response to 'attacks on human rights' and noooothing to do with Russia-Ukraine
NATO is investigating claims by miscreants that they broke into the military alliance's unclassified information-sharing and collaboration IT environment, stole information belonging to 31 nations, and leaked 845 MB of compressed data.
On July 23, SiegedSec, a crew that describes itself as "gay furry hackers" and typically targets governments in politically motivated stunts, shared what was said to be stolen NATO documents via the gang's Telegram channel. The hacktivists' Telegram post included screenshots of the alleged files and a link, now defunct, to download the data.
"Do you like leaks? Us too! Do you like NATO? We don't! And so, we present... a leak of hundreds of documents retrieved from NATO's COI portal, intended only for NATO countries and partners," SiegedSec claimed.
The Communities of Interest (COI) Cooperation Portal is used by NATO organizations and member states. And while it doesn't contain classified information, there's still perhaps mayhem, fraud, and money to be made from releasing unclassified government info.
SiegedSec said the purported theft "has nothing to do" with the Russian invasion of Ukraine. "This is a retaliation against the countries of NATO for their attacks on human rights," the crew stated, adding that it's also "fun to leak documents."
When asked about SiegedSec's claims, a NATO official declined to answer specific questions, and provided the following statement:
NATO cyber experts are actively looking into the recent claims associated with its Communities of Interest Cooperation Portal. We face malicious cyber activity on a daily basis and NATO and its allies are responding to this reality, including by strengthening our ability to detect, prevent and respond to such activities. NATO's classified networks are not affected and there is no impact on NATO operations. Investigation and mitigation activities are ongoing by our experts.
According to threat intel firm CloudSEK, which analyzed the leaked data, the dump contains various unclassified documents and 8,000 personnel records containing details including: names, companies and units, working groups, job titles, business email addresses, home addresses, and photos.
"Our analysis suggests that there are at least 20 unclassified documents in the leak," the team concluded.
- Russian hacktivists DDoS hospitals, with pathetic results
- SCOTUS judges 'doxxed' after overturning Roe v Wade
- Deloitte and Chuck E. Cheese join 500+ orgs as MOVEit victims
- Crooks pwned your servers? You've got four days to tell us, SEC tells public companies
While it's unclear how SiegedSec broke into the portal, as claimed, CloudSEK suggested the intruders may have used used stolen credentials.
"With low confidence and no direct proof, we assess that the credentials for the compromised user account may have likely been sourced from stealer logs," the analysts said.
Last month SiegedSec leaked stolen data from agencies in six American states and said the hacks were in response to legislative attacks on gender-affirming care.
The group has also previously targeted anti-abortion states, reportedly in response to the US Supreme Court ruling overturning Roe v. Wade last summer. After leaking internal files stolen from Kentucky and Arkansas government servers, SiegedSec posted: "One shouldn't be denied access to abortion." ®