• Bullish open letter says the operator is a “force they will never be able to erase.
  • Mário Vaz, Vodafone Portugal CEO, says recovering from “terrorist” incident will be a “lengthy” job.


“They shut down schools and hospitals”: Vodafone Portugal laments hackers

Source: Flickr / Kārlis Dambrāns

Vodafone Portugal penned an open letter chastising those behind the recent cyberattack on its operations, conceding it may never understand the hackers’ motivations.

Publishing the letter via multiple national Portuguese media outlets, Vodafone Portugal Chief Executive Mário Vaz deplored the attackers for “[shutting down] schools, hospitals, firefighters, companies, families… the lives of millions of Portuguese”.

“ We don’t know, and maybe we’ll never know why. Maybe the idea that they could destroy who we are, what we work and build every day, with employees, customers, partners, the state, and civil society. ”


Taking something of a melodramatic turn, the letter added that technology has “astronomical power”, but “what distinguishes us is what we do with it. It will always be at the service of good”.

We will always be on the right side. This is the force that they will never be able to erase”, the letter concluded.

An act of terrorism?

Vodafone stabilised its network operations after a week of “non-stop” restoration work. Its entire connectivity systems were forced offline on 7 February, before being incrementally restored, service by service, until completion four days later.

At the time, Vaz said the network was subject to a “terrorist and criminal act”. The relevant authorities are supporting Vodafone’s investigation into the matter, which the CEO described as unprecedented in terms of scale and severity.

“ The aim of this attack was clearly to make our network unavailable and with a level of severity to make the restoration of services as difficult as possible. ”


Impact felt nationally

The attack caused disruption for four million Vodafone Portugal customers, with problems in the provision of all services, including data, SMS, TV, and voice. The operator has said it does not believe any customer data was compromised.

Services were taken offline late on 7 February. An hour later, Vodafone restored voice services, with 3G connectivity following shortly after, “in almost the entire country”. SMS services were recovered early on 8 February, with TV provision partly restored overnight. Vodafone’s 4G connectivity was restored incrementally in limited parts of the country, with maximum speed caps put in place to ensure “equitable and sustainable distribution” of bandwidth.

By 11 February, all services were re-established (though with a warning that “occasional instability” would continue in the short term).

Much of the immediate impact was on consumers, but the operator’s enterprise and public sector clients also faced problems. The country’s emergency services rely on Vodafone connectivity, and the Portuguese ambulance operator INEM was forced onto its contingency plan. Other impacted services include Multibanco’s ATM network, which relies on Vodafone’s 3G connectivity.

Investigation (and recovery) ongoing

The attack is being treated as a criminal act, with Vaz going so far as to suggest it was an act of terrorism, but no party has claimed responsibility. Local police ruled out a financial motivation early into the investigation.

Local outlet Expresso reported that a tender for access to data from a Portuguese telecoms company was submitted on Russian online forum Exploit.in a week before the attack. Expresso added that the tender, identified by US cyber-intelligence firm Mandiant, offered illegal access to the data for a price between $1bn (£736m/€883bn) and $4bn.

The reports are being investigated by Portuguese police. Vodafone notified authorities that some data had been breached, but said customer data was not affected.

In a press release published after services were restored, Vodafone said “there is still a lot of work ahead to ensure the sustainability of operations”. It added that it will “collaborate closely” with the relevant authorities.

The incident represents Portugal’s second high-profile cyberattack in as many months. In January, national media conglomerate Grupo Impresa had two of its online news outlets taken offline by ransomware group Lapsus$, which shared false news messages and contacted subscribers via Impresa’s compromised Amazon Web Services account. Again, the attack is the subject of a police investigation.