Multiple damaging narratives across public digital media, messaging applications and deep & dark web forums quickly emerged as early February’s Vodafone Portugal cyberattack unfolded: from an allegedly Russian-led operation to Vodafone’s supposed failure to protect employees’ credentials. What can be learned?
On February 7th, a “deliberate and malicious” cyberattack on global telecom operator Vodafone disrupted some emergency services reliant on its network in Portugal. In addition to Vodafone’s mobile voice and data, fixed-line voice, SMS, and answering services being impacted, the attack reportedly interrupted the national ambulance service and some fire brigades. However, the cyberattack did not only disrupt the Telco operator’s services. The incident also demonstrates in the current geopolitical polarized environment how similar attacks on critical infrastructure could increase risk across two key axes:
1. The damaging reputational effects to private critical infrastructure companies caught in the potential crosshairs of geopolitical conflicts
2. The capacity for the diffusion of propagandistic narratives that sow sociopolitical division and discord related to impacted countries
These trends are highly relevant in the current global context. Several cyberattacks targeting Ukraine and linked to Russia have focused on internet infrastructure and digital banking, as well as defacement of government and media sites. The principal aim of these attacks is to generate confusion, hinder communications, demoralize the population, and undermine institutional confidence. If these types of attacks spread beyond Ukraine, as is likely to occur, other Western countries could well suffer similar intrusions targeting critical infrastructure, with similar private-public impacts.
To assess the propagandistic repercussions of an attack targeting and disrupting critical infrastructure services (such the case of Vodafone’s network) as well as the damaging reputational effect to the affected private company itself, Constella’s threat intelligence team used Analyzer, Constella’s cloud-based platform for advanced risk analysis of the digital public sphere, analyze the digital conversation related to the attack and the affected company over a period including the day before and the week following the initiation of the cyberattack. The analysis was conducted in Portugal and in the Portuguese language and covered a period from February 6th to February 15th, 2022.
Constella’s data scientists applied clustering algorithms, similar to the Louvain Method for community detection, to determine the different digital communities and visually represent the resulting network of interactions. Constella’s unassisted algorithms identified nine key communities producing conversations related to the Vodafone Portugal cyberattack, the best public data proxy available to understand both the reputational impact as well as any propagandistic narratives associated with the cyberattacks as observed in other recent cases.
This analysis shows how, very quickly, two main risk vectors emerged:
1. Narratives negatively impacting the reputational integrity of Vodafone’s operations in Portugal
2. Narratives sowing discord and discouraging trust in Portuguese institutions
Key risks to the affected organization’s corporate reputation identified across the public digital conversation included:
1. Criticism about the service at private, business, and state (emergency channels in Portugal) levels.
2. Affected customers requesting economic compensation.
3. Criticism about the institutional communication management of the affected company.
4. Users and experts emphasize the affected company’s immediate need for investment in a security team and ensuring greater confidence to its customers.
5. Users express skepticism about the affected company’s cybersecurity services offering.
6. Lack of trust related to the affected company’s portfolio of services
7. Users have claimed that the cyberattack was executed primarily by Russian agents.
8. The affected company is accused of influencing and encouraging conspiracy messages. Users allege that the cyberattack was an institutional front fabricated in the face of a massive failure of its services.
Several media outlets have publicized that the cyberattack occurred due to a failure in SMS authentication; supposedly, a Vodafone employee had their SIM cloned, which allowed the SMS authentication code to access Vodafone’s system. Telecommunications experts have suggested eliminating this type of “security” through SMS, indicating that, in the past, other cyberattacks were made by the same entry route.
The cyberattack targeting critical infrastructure services also generates negative sociopolitical perceptions related to the country where the attack occurred. Several distinct conversations emerge that exhibit division and skepticism associated with the political context in Portugal. These types of vulnerable narratives present a geopolitical risk and can be a principal risk vector for state threat actors that aim to sow discord.
Vulnerable narratives identified related to the sociopolitical perception of Portugal included:
1. Concern and fear related to simultaneous alleged incidents in the country, including Vodafone, a university in Lisbon, and the laboratory Germano de Souza. A possible scenario is considered in which Portugal could be the target of imminent attacks.
2. Comments and conversations attack the government due to a lack of national security leadership.
3. Users connect the current political crisis between Russia and Ukraine as a reason for the attacks, indicating that Russian agents could have been the main executors of the cyberattack on Vodafone. The attack is labeled a terrorist act, and several users question Portugal’s position in the conflict between Ukraine and Russia, signaling social instability in Europe promoted by Russia.
4. Allegations of links between Portuguese activists and the Vodafone Portugal cyberattack are driven by hate speech and mainly promoted by football supporters.
5. Several news outlets publish an alleged conversation thread in which a hacker offered illegal access to a Portuguese telecommunication operator’s computer system in a Russian forum, Exploit.in: Zap.aeiou.pt ; dinheriovivo.pt ; express.pt
6. Generalized social perception that the attack had been executed by Russian agents.
7. The Vodafone Portugal cyberattack is labeled a fascist attack.
The expected increase in attacks targeting critical infrastructure will likely produce further similar situations in which:
A. Private organizations will be targeted and suffer the reputational effects of diverse conversations and assertions related to the impact of potential cyberattacks and the ongoing geopolitical crisis in Ukraine
B. Countries may see the deterioration of digital discourse, influenced by conspiratorial narratives and unsubstantiated allegations related to the impact of affected critical infrastructure within the context of the continued geopolitical crisis concerning Russia and Ukraine
The rapidly increasing relevance of these threats must be a strategic priority for private companies—especially those in sectors delivering critical infrastructure services—and public national security bodies. Constella Dome is key to protecting executives, employees, or VIPs —including public authorities and executives in private companies, specifically those linked to critical infrastructure such as energy, finserv, telecommunications, or pharma —which are consistent, high-value targets in hybrid cyberwar operations. Real-time monitoring of these reputational risks both before and after any cyberattack is critical to mitigating the risks. Although these threats may emerge in distinct geographies or sectors, we have seen how cyberattacks and information operations have the potential to drive the widespread diffusion of propaganda and inflict reputational damage, impacting both the affected private companies and the sociopolitical contexts in which these attacks occur.
Let us help you stay one step ahead.