History of Portuguese Hacking

The Portuguese hacking scene has its roots in the Bulletin Board System (BBS) era of the 1980s and early 1990s. These early online communities served as gathering places for tech enthusiasts, fostering the exchange of information and the development of hacking skills.

During this period, phone phreaking – the manipulation of telephone systems – was also prevalent. This practice laid the groundwork for more advanced hacking techniques and contributed to the growth of a tech-savvy subculture in Portugal.

The mid-1990s saw the emergence of hacktivism in Portugal, particularly in support of East Timorese independence . This period marked a shift from purely technical pursuits to politically motivated hacking.

Notable events include:

• 1995: Early digital protests targeting Indonesian government websites
• 1996: Formation of PHAIT (Portuguese Hackers Against Indonesia Tyranny)
• 1997-1998: TOXyn group's "Free East Timor" campaign , considered the first sustained defacement campaign in hacking history

These activities not only brought attention to political causes but also showcased the technical capabilities of Portuguese hackers on an international stage.

Several hacking groups have played significant roles in shaping Portugal's cybersecurity landscape:

• TOXyn - Known for the Free East Timor campaign
• Pulhas - One of the oldest Portuguese hacking groups
• KaotiK - Created the first Portuguese hacking & security e-zine
• F0rpaxe - Responsible for major attacks against US military targets

Anonymous Portugal emerged as a significant force in the Portuguese hacking scene in 2008. As part of the global Anonymous movement, this decentralized group has been involved in various hacktivist operations, both domestically and internationally. Their activities range from targeting government institutions and corporations to supporting global causes and freedom of information.

Notable Actions:

• 2008: Initial online presence established with help from the international hacking community, involving technically sophisticated attacks
• 2010: Participation in Operation Payback, targeting anti-piracy organizations
• 2011: Assisted in providing internet access to activists during the Tunisian and Egyptian revolutions, supporting the Arab Spring movements
• 2011: Defacement of several Portuguese government websites in protest against corruption and censorship
• 2013: Operation "Salvar o SNS" (Save the National Health Service), targeting health ministry websites to protest budget cuts
• 2015: #OpPedoChat, a campaign against child exploitation, targeting and exposing alleged pedophiles
• 2018: Attacks on Brazilian government websites in solidarity with protests in Brazil

Anonymous Portugal's activities have raised public awareness about various social and political issues, while also highlighting vulnerabilities in Portuguese digital infrastructure.

Interestingly, there are whispers within the hacking community that one of the oldest and last remaining original Anonymous members, known as "Sab0tage" is Portuguese. While this claim is unverified, it adds to the mystique surrounding Anonymous Portugal and its potential influence within the global Anonymous movement. Such rumors highlight the difficulty in tracing the true origins and membership of decentralized hacking groups.

LulzSec Portugal, an offshoot of the international LulzSec group, was active primarily in 2011 and 2012. Known for their more chaotic and provocative approach, LulzSec Portugal conducted several high-profile attacks on Portuguese targets, showcasing advanced hacking techniques and exposing significant vulnerabilities in various sectors.

Key Operations:

• 2011: Hack of the Portuguese Parliament website, leaking sensitive information including internal emails and login credentials of government officials
• 2011: Breach of the Portuguese Ministry of Finance, exposing confidential financial data and tax records
• 2012: Major attack on multiple Portuguese universities, including the University of Lisbon and the University of Porto, exposing security flaws in academic networks and leaking student and faculty data
• 2012: Coordinated attacks on several Portuguese banks, including Banco de Portugal and Caixa Geral de Depósitos, temporarily disrupting online banking services and exposing vulnerabilities in financial systems
• 2012: Hack of Portugal Telecom, compromising customer data and revealing internal communications
• 2012: Defacement of multiple government websites, including the Ministry of Internal Administration, leaving taunting messages and LulzSec logos

LulzSec Portugal's attacks were characterized by:

• Sophisticated SQL injection techniques to bypass security measures
• Use of custom-built tools for data exfiltration and network mapping
• Exploitation of zero-day vulnerabilities in both custom and off-the-shelf software
• Social engineering tactics to gain initial access to targeted systems
• Public disclosure of stolen data through file-sharing platforms and social media

The activities of LulzSec Portugal, while short-lived, significantly impacted the perception of cybersecurity in Portugal. These attacks led to increased investment in digital security measures across various sectors, prompted a national dialogue on cybersecurity, and resulted in the formation of specialized cybercrime units within Portuguese law enforcement agencies.

In 2022, the Portuguese cybersecurity landscape was marked by the case of "Zambrius", a young hacker who began his activities at age 16. His case represents one of the most recent major cybercrime convictions in Portugal, highlighting both the technical sophistication of young Portuguese hackers and the increasing effectiveness of law enforcement in addressing cybercrime.

Source: SIC Notícias

The Zambrius case particularly stands out for demonstrating how young Portuguese hackers have developed significant technical capabilities, often starting their activities during their teenage years. This case also led to increased discussions about youth cybercrime and the importance of channeling technical talents into ethical hacking and cybersecurity careers.

Source: Observador

In September 2022, Portugal's cybersecurity capabilities were tested when classified NATO documents sent to the Portuguese Armed Forces General Staff were intercepted by hackers. The documents were subsequently offered for sale on the dark web, marking one of the most serious breaches of military communications in recent Portuguese history.

Impact and Response:

• Highlighted vulnerabilities in military communication channels
• Led to immediate security protocol reviews within Portuguese military infrastructure
• Prompted increased cooperation between Portuguese and NATO cybersecurity teams
• Resulted in enhanced security measures for handling classified documents

This incident underscored the growing sophistication of cyber threats targeting military and government institutions, leading to significant improvements in Portugal's cybersecurity protocols for handling sensitive international communications.

2022 marked a significant year for cyberattacks against Portuguese critical infrastructure, with multiple high-profile incidents affecting media, telecommunications, and aviation sectors.

Media and Telecommunications

The year began with consecutive attacks on communication infrastructure:

• January: Impresa Media Conglomerate attack affecting SIC TV and Expresso newspaper
• February: Vodafone Portugal network disruption impacting millions of customers

Aviation Sector Attack

In September 2022, TAP Air Portugal suffered a significant data breach:

• Hackers successfully exfiltrated passengers' personal data
• Stolen information was subsequently published online
• Incident highlighted vulnerabilities in aviation sector cybersecurity
• Led to enhanced data protection measures across Portuguese aviation industry

These attacks demonstrated a concerning trend of targeting critical national infrastructure and essential services, prompting increased investment in cybersecurity measures across multiple sectors.

Portuguese hackers have demonstrated significant capabilities in targeting telecommunications infrastructure, with the February 2022 Vodafone Portugal attack being a notable example. This incident caused widespread disruption to the country's telecommunications services, affecting millions of customers and highlighting the vulnerability of critical infrastructure.

Impact and Significance:

• Disruption of 4G/5G networks across Portugal
• Affected SMS services and television networks
• Demonstrated the potential impact of cyberattacks on critical infrastructure
• Led to increased focus on telecom security measures
• Highlighted the need for robust incident response plans

While Vodafone Portugal reported no breach of customer data, the incident served as a wake-up call for the telecommunications sector and led to enhanced security measures across Portuguese telecom operators.

The 21st century has seen a transformation in the Portuguese hacking scene, with a shift from underground activities to mainstream recognition in cybersecurity:

• Increased focus on ethical hacking and cybersecurity research
• Growth of cybersecurity startups and initiatives in Portugal

The ongoing case of Diogo Santos Coelho, the Portuguese administrator of RaidForums arrested in 2022 , highlights the complex legal challenges facing hackers in the modern era. In early 2024, facing potential extradition to the United States, Coelho expressed his intention to turn himself in to expedite his eventual return to Portugal, demonstrating the increasing international scope of cybercrime prosecution.

• Recognition of Portuguese hackers in global competitions and bug bounty programs
• Integration of hacking skills into national cybersecurity strategies

This evolution reflects broader changes in the global perception of hacking, with many former hackers now working as cybersecurity professionals and consultants.