BENGALURU: A team of cyber security researchers at CloudSEK -- a Bengaluru-based research facility that predicts cyber threats -- is said to have found a “significant” data breach affecting NATO’s Communities of Interests (COI) Cooperation Portal. The North Atlantic Treaty Organisation (NATO) is said to be looking at the breach, which is allegedly orchestrated by SiegedSec -- a threat actor group that is known for carrying out politically motivated cyber attacks with no demand for ransomware. The breach was first detected by CloudSEK on July 24.
“SiegedSec getting access to a compromised user account has exposed unclassified documents and sensitive user-related information from approximately 31 nations,” Bablu Kumar, cyber intelligence analyst, CloudSEK, told TNIE. According to NATO, unclassified information should only be used for official purposes. The cyber security firm has its headquarters in Singapore.
“CloudSEK’s XVigil contextual AI digital risk platform, known for its proactive threat intelligence capabilities, is actively collaborating with relevant authorities to mitigate the impact of this data breach,” said Darshit Ashara, head of Security Research & Threat Intelligence, CloudSEK.
Giving details about the alleged breach, Kumar said that on July 24, CloudSEK identified a Telegram post made by SiegedSec, claiming responsibility for the successful compromise of NATO’s COI Cooperation Portal.
“The leaked data, comprising approximately 845 MB of compressed information, includes unclassified documents owned by NATO and pertaining to the partnered countries. It contained 8,000 records of user related sensitive information such as: full name, company/unit, working group, job title, business email IDs, residence address, photo etc. Our analysis shows at least 20 unclassified documents are among the leaked data,” said the researcher.
Speaking about the investigation, which resulted in detection of data breach, Kumar said the CloudSEK researchers “identified that the login process is vetted by the site owner. With low confidence and no direct proof, we assessed that the credentials for the compromised user account may have likely been sourced from stealer logs”.
“Our investigation suggests that SiegedSec has been actively targeting organisations worldwide since April 2022. Unlike some other threat actors, SiegedSec does not have a history of employing ransomware attacks. Their modus operandi revolves around selectively targeting specific organizations and releasing leaked data to promote chaos and instigate wider repercussions,” he added.
Meanwhile, SiegedSec stated that this data breach is “not related to the ongoing Russia-Ukraine conflict”. Said Kumar, “Instead, they claimed that it is an act of retaliation against NATO countries that are perceived to be disregarding human rights issues. The motivation behind the attack highlights the evolving landscape of cyber-warfare and the potential implications for geopolitical tensions.”
CloudSEK has advised all users of the COI Cooperation Portal and affiliated organizations to remain vigilant and review their security practices. “All stakeholders need to take necessary precautions to secure their data and infrastructure in light of this breach. We are closely working with relevant authorities to address the situation comprehensively and ensure that appropriate measures are in place to prevent similar incidents in the future,” said Ashara.