NATO is investigating an apparent cyber incident after hackers posted a link to more than 700 internal documents, a NATO official told CyberScoop on Wednesday.
It’s not clear how SiegedSec, the group that posted the link on Telegram July 23, obtained the documents. A cursory review by CyberScoop showed roughly 710 files purportedly obtained from the NATO Community of Interest Cooperation Portal, which the agency says is an “unclassified information sharing and collaboration environment.”
“NATO cyber experts are actively looking into the recent claims associated with a Communities of Interest Cooperation Portal,” a NATO official said in an email. “We face malicious cyber activity on a daily basis and NATO and Allies are responding to this reality, including by strengthening our ability to detect, prevent and respond to such activities.”
The files — including some dating to this month, while others are several years old — reveal agency personnel names and contact information, lists of software used for various purposes (along with vendor information and version numbers) and much more.
“Do you like leaks? Us too!” a message posted alongside screenshots of the purported document and a link to download the full set. “Do you like NATO? We don’t! And so, we present … a leak of hundreds of documents retrieved from NATO’s COI portal, intended only only for NATO countries and partners.”
The group also claimed its attack on NATO “has nothing to do with the war between Russia and Ukraine, this is a retaliation against the countries of NATO for their attacks on human rights (- Also, its fun to leak documents ^w^). We hope this attack will get the message across to each country within NATO.”
The Department of Defense did not immediately respond to a request for comment.
SiegedSec is known for politically motivated attacks that typically don’t have a financial connection. Earlier this month, the group claimed an attack on satellite receivers and industrial control systems around the U.S., “particularly in states banning gender affirming care.” Last summer it claimed attacks on state government agencies in Kentucky and Arkansas over those states’ legislative efforts to limit access to abortion.
After those operations, a SiegedSec member told CyberScoop the group focuses “more on the message than the money. Although we mostly consider ourselves more blackhat than hacktivists. Money is not our main goal, most of the time we just want to have fun and destroy stuff.”
In April, a pro-Russian hacktivist persona known as Killnet created a Telegram channel called “KILLNET – [F***] NATO” and posted more than two dozen files purportedly stolen from NATO, along with alleged usernames and passwords associated with NATO systems. Cybersecurity experts, including several at Google’s Mandiant, said in a July 20 report that at least some of the documents appeared legitimate and represented a “significant increase in capability” for a group known previously for annoying but relatively low-level distributed denial-of-service attacks.
There’s no indication of any links between SiegedSec and Killnet.
“Over the last few months there have been claims by multiple groups of NATO leaks but the screenshots they’ve provided look legitimate,” Rosa Smothers, a former CIA cyberthreat analyst and current executive at KnowBe4, said in an emailed statement. “Full names, photos and home addresses were included in the leaked data which poses a direct threat to those NATO personnel.”