Vodafone Portugal: Restoration in Progress Post-Cyberattack'Deliberate' Attack Affected Data Services, ATMs on Telco's Network
Its data networks, including 4G/5G network, fixed voice, television, SMS and voice/digital answering services, were affected on Monday night, the statement says. ATM networks of unidentified large banks connected to the Vodafone 4G network were also disrupted. Interbank network Multibanco reportedly had "some occasional instability" in its services because of the cyberattack.
Preliminary investigation shows no evidence of the unidentified threat actors accessing or compromising customer data, Vodafone says.
On Tuesday night, the telecom services provider said in an update that its 4G network services had been partly restored in certain parts of the country.
"Vodafone started to restore mobile data base services over its 4G network following an intense and demanding replacement operation. This start up is currently limited to restricted areas of the country, and is gradually being expanded to the greatest possible number of customers," according to the update.
It also said that the restored services were "subject to some limitations," such as speed, to "ensure better monitoring of network usage, as well as a more equitable and sustainable distribution of the [available] capacity" among its customers.
Attack Details and Disruption Caused
During the night on Monday, the telecom company's internal team observed the network disruption and identified the source of the issue as a targeted cyberattack, intended to cause "damage and disruption," according to its statement.
The company says it took "immediate containment and service restoration measures," but a majority of its mobile and television services across the country were affected before the mitigation measures were deployed.
The scale at which the cyberattack disrupted the services implies the need for "careful and prolonged [restoration] work," the statement says, adding that the recovery process will be completed in the "next few days."
Vodafone Portugal CEO Mário Vaz, in a video address to customers, says that the cyberattack destroyed several central elements of the company's networks. This includes redundant systems that are only activated during a network failure, indicating that the attackers went after the company's backup systems as well, he says.
Addressing local journalists in a press conference and responding to customer queries posted in response to the above video message, Vaz says:
- The attack was targeted at mobile and television networks. Other IT systems and landline services were not affected.
- Businesses and public services, including ambulance services, fire departments and hospitals using Vodafone's services were also affected.
- The nature and origin of the attacks is unknown, and no ransom was demanded.
- The attacks cannot be attributed to any group or nation-state actors as no such evidence has been discovered yet.
- The Portuguese police, along with other national and international teams, as well as external partners, are investigating the incident.
On the first night of the cyberattack, the company's technical teams established a security perimeter and began rebuilding the affected network elements. "This is likely not to be solved shortly as orchestration is complex," Vaz says.
Since Vodafone Portugal's 4G and 5G services were primarily disrupted during the attack, the company has pushed all mobile voice and data services to its 3G network as a business continuity measure, according to the company's statement on Monday.
Vaz, in a LinkedIn post, says: "From the first hour, Vodafone is, through the unceasing work of its technical teams, trying to restore as soon as possible the services that we unintentionally fail to provide to our customers. A commitment that stands. Once we have secured access to basic mobile voice services, we are focused on restraining the operation of mobile data services over 4G networks, a goal we are very close to achieving."
Vaz did not share updates on when 5G services are likely to be restored.
The latest attack on Vodafone Portugal is a prime example of the serious and potentially life-threatening impact the loss of technology can have when it's disrupted, Ron Bradley, vice president of third-party risk assessment firm Shared Assessments, tells ISMG, referring to the likely disruption the attack caused to essential services such as hospitals, ambulances and the fire department.
"While the details of the attack remain largely unknown, the downstream effects of losing the ability to communicate is crippling. The need for resiliency, especially for critical infrastructure, cannot be overstated. Building in redundancy and having the ability to fail over to alternate systems is an absolute must," he says.
In this case, however, alternate systems also seem to have been targeted, which is a bigger cause of concern, Bradley says.
An attack on the communications sector, one of the 16 CISA critical infrastructure components, "is an attack on the country itself," Garret Grajek, CEO of cloud-based identity auditing solutions provider YouAttest, tells ISMG.
"The methods and operations of this attack must be analyzed, quantified and the mitigation must be communicated and repeated to other communication enterprises. The attackers are looking for any and all vulnerabilities and the seriousness of the events cannot be underestimated, especially since it is a part of a critical infrastructure."