🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
Home
Threat Intelligence Posts
Data leaks

SiegedSec Allegedly Breached NATO’s COI Portal Affecting 31 Nations Leaked Sensitive Data

SiegedSec claims to have exposed unclassified documents for NATO’s COI Cooperation Portal which is NATO's unclassified information-sharing and collaboration environment.The leak consists of 845 MB of compressed data.
Updated on
July 26, 2023
Published on
July 26, 2023
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.

Category:  Adversary Intelligence

Industry:  Government

Motivation: Reputation

Region: Multiple

Source*

A: Reliable

2: Probably true

Executive Summary

  • SiegedSec claims to have exposed unclassified documents for NATO’s COI Cooperation Portal which is NATO's unclassified information-sharing and collaboration environment.
  • The leak consists of 845 MB of compressed data.
  • The leaked information includes unclassified documents pertaining to the partnered countries and access to user accounts.
  • Around 8K rows of user-related sensitive information.

Analysis and Attribution

Information from the Post

On 24 July 2023, CloudSEK’s contextual AI digital risk platform XVigil discovered a Telegram post where a highly reputed threat actor group disclosed the data breach of the COI (Communities of Interests) Cooperation Portal, NATO's unclassified information-sharing and collaboration environment. The portal supports NATO organizations, NATO Nations, and their mission partners' public administration.

Alleged Access to COI Corporation Portal


According to NATO’s definition,  unclassified information should only be used for official purposes, and not be released without authorization nor published online.

  • The actor mentioned in the post that the following information has been leaked:
    - Documents marked NATO UNCLASSIFIED is managed and owned by NATO pertaining to the partnered countries.
    - Access to user accounts
  • The claim highlights that approximately 31 nations have been impacted by this leak with around 845 MB of compressed data exposed.
  • As per the official website, we identified the login process is vetted by the site owner.
  • With low confidence and no direct proof, we assess that the credentials for the compromised user account may have likely been sourced from stealer logs.

Motivation

  • According to the post, the group responsible for this action asserts that the leak is unrelated to the ongoing conflict between Russia and Ukraine. 
  • Instead, it is portrayed as a form of retaliation targeting NATO countries that are perceived to be disregarding human rights issues.

Analysis of the Data

The data is fully available for download. It contains 8K records of user-related sensitive information such as:

  • Full name, 
  • Company/Unit
  • Working group
  • Job Title
  • Business Email ID
  • Residence address
  • Photo

According to NATO’s definition,  unclassified information should only be used for official purposes, and not be released without authorization nor published online. Our analysis suggests that there are at least 20 unclassified documents in the leak.

Threat Actor Activity and Rating

Threat Actor Profiling

Active since

April 2022

Reputation

High

Current Status

Active

History

The SiegedSec group has been targeting organizations worldwide since they are active. They don’t have a ransomware history. Some hacks are chosen victims, others are aleatory. They like to make the leaks available for download and promote chaos with it.

Rating 

A2

Contact

[email protected]

https://t.me/SiegedSec_Chat

References

Appendix

Screenshot of documents 

NATO’s COI (Communities of Interests) Portal


Users’ sensitive data

Other documents pertaining to NATO partners

User registration process vetted by the site owner

Unclassified documents (for specified official only)

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Recent Posts

Recent Articles

Critical CSRF Vulnerability in IBM CICS TX - CVE-2023-42027 Demands Immediate Action
November 15, 2023
CVE-2023-43792 baserCMS is a website development framework vulnerable to Code Injection attacks
November 6, 2023

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations
Get started
Learn more