Expresso's newsroom. Photo credits: João Carlos Santos/Expresso. Library

Portugal’s Expresso newspaper still recovering from debilitating ransomware attack

Portugal’s Expresso newspaper still recovering from debilitating ransomware attack

‘It is a way of deliberately destroying the means of production of the media’. It has been a month since the Portuguese weekly newspaper Expresso became the victim of a ransomware attack, causing it to lose access to its website, its archives, and its Twitter account. How is the newspaper recovering from such a disruptive event?

On Sunday, January 2, 2022, the Portuguese newspaper Expresso became the victim of a ransomware attack by a hacker organization called Lapsus$.

Late in the evening, Lapsus$ succeeded in gaining access to the servers of Expresso, one of Portugal’s biggest newspapers.The hackers dismantled Expresso’s archives, and sent tweets from the newspaper’s verified Twitter account. The hackers also sent a phishing email to Expresso’s subscribers. Simultaneously, Lapsus$ hacked the Portuguese television broadcaster SIC and dismantled its system. Both SIC and Expresso are owned by Impresa, one of Portugal’s biggest media conglomerates.

It was an attack that no one saw coming. “We were surprised, so surprised”, Micael Pereira, a senior reporter at Expresso, told IPI. “We were shocked when we learned the website was taken down, and that our Twitter account did not work anymore. On the website, there was a blank page with a message from a group called Lapsus$. They were demanding ransom.”

It was the first time Lapsus$ launched an attack in Portugal. Earlier that month, Lapsus$ had hacked Brazil’s Health Ministry website, taking several systems down, including one with information about the national immunization program and another used to issue digital vaccination certificates.

Recovery

The cyberattack has been a disruptive event for Expresso, Pereira told IPI. The newspaper still has a long recovery ahead of it. The website currently runs on a temporary system, using WordPress as a backend. The paper lost access to all its data. “We could not and still cannot access our digital archives, which not only contained content from Expresso, but also from other newspapers. SIC TV lost access to the digital archives of videos and relies on physical backups, such as hard drives and tapes.”

To design the newspaper over the past month, Expresso has been using an old system, which felt like “going back to the nineties”, according to Pereira. “Normally, we have software that allows us to write directly into the pages so that we can see how much space we have. But the past month we needed to write with a very specific amount of characters in our head. That text then needed to be transported to another system, a very complicated and timely process. Luckily, our team managed to go back to the more modern system recently.”

Recovering from the attack has been difficult, but Pereira is still proud of the work his team produces. “Luckily, we are a weekly paper. If it had been a daily paper, it would have been much crazier and much more difficult to get everything done in time.”

New perspective

The cyber attack has fundamentally changed the newspaper’s approach to online security, Pereira said. “Not only is our IT department making important changes to our backend for better protection, but the attack has also educated our team as a whole. Before the attack, we of course constantly received repeated messages from our IT department, encouraging us to change our passwords, to not click that suspicious phishing link. But only now do we fully understand the importance of this.”

Since the attack, Pereira – a member of ICIJ, the International Consortium of Investigative Journalists – has received numerous questions about security from his colleagues. “As a journalist, I have covered many stories on leaks, for example on the Panama Papers and the Paradise Papers. Now my colleagues have asked me for advice on their password manager, their apps, and antivirus systems. Even their home computers are important, as our personal computers have access to the company’s accounts. There is a lot that needs to be changed.”

In addition, Pereira believes awareness needs to be built by giving security training to the whole organization. “Not only to the journalists, but also to people in administrative departments and commercial departments, for example.”

Criminal investigation ongoing

Besides the newspaper’s continuing recovery, there is currently a criminal investigation ongoing into who was behind the attack, and what precisely happened. “This is very necessary, since we do not know if Lapsus$ stole any information from our servers”, Pereira said. “Especially in regards to our sources, this is important to find out.”

There are also still many questions about Lapsus$’s motivation. “The puzzling aspect is that although there was this initial ransomware attack, there was no follow-up”, Pereira said. “In the end, Lapsus$ stopped asking for money and we did not pay them anything. This makes their motivation somewhat of a mystery for me, as Lapsus$ also does not seem to have an ideological approach.”

Despite these unsolved questions, Pereira calls the event a “clear attack against press freedom”. He added: “It was hard, we were not able to do live interviews through Skype or Zoom because they were taken out by the attackers. All the images, all the footage, there was nothing we could use. It was, and is, terrible to recover from that night. It is a way of deliberately destroying the means of production of the media, destroying the capability of a newspaper.”

This article by IPI is part of the Media Freedom Rapid Response (MFRR), a Europe-wide mechanism which tracks, monitors and responds to violations of press and media freedom in EU Member States and Candidate Countries.

IPI as part of MFRR