Last year, hundreds of Brazilian authorities had their cell phone security breached by amateur hackers. Some of the country’s biggest political figures were affected, including President Jair Bolsonaro, Supreme Court justices, the heads of both congressional houses, the prosecutor general, and Economy Minister Paulo Guedes. The most visible face of this massive hack was the so-called “Car Wash Leaks,” when website The Intercept began leaking private messages exchanged by members of Operation Car Wash — eviscerating the inner workings of the anti-corruption probe.
Now, Brazil faces a potentially more severe attack.
The Federal Police and a group of information security experts are investigatinga hack of the Superior Court of Justice. An unknown group infected the network of Brazil’s second-highest judicial body on Tuesday — since then, justices have been unable to access their emails or any of the 250,000-plus cases under their jurisdiction.
As a means of damage control, the court’s IT department has taken its website off the air. So far, the problem remains unsolved — and its origin, unknown.
Civil servants working in the court told The Brazilian Report that the hack was likely made possible due to vulnerabilities generated by users remotely accessing the court’s network from home — using unprotected internet connections. IT experts advised all 33 justices and 2,900 workers not to use their work computers until the problem is solved.
It took the court’s IT department around six hours to identify and act upon the attack. The team tasked with solving the issue suspects the hacker (or hackers) could have encrypted the court’s entire database — including backup files. It could be a case of ransomware similar to one that occurred in Baltimore last year, when hackers seized parts of the systems which run the municipal government, demanding money for their release.
IT experts are trying to restore important case files by way of physical backups, which exist precisely for such cases. However, it remains unclear if all data will be restored — that will depend on the date of the last backup.
Military officials specializing in cybercrime spent the day at the Superior Court of Justice, assisting in the investigation.
Meanwhile, trials have been suspended — including one involving former President Luiz Inácio Lula da Silva — and all procedural deadlines have been waived until November 9.
Government on alert against hackers
Other public agencies suffered attacks, though it is unclear whether they are by the same perpetrators. Employees of the Health Ministry reported network instability on Thursday, with electronic databases of Brazil’s public health system (SUS) and work emails being unavailable. “I couldn’t even open even files stored on a flash drive. It’s as if everything was locked,” one civil servant told The Brazilian Report.
Meanwhile, several institutions of the local government in Brasília took their systems offline after malicious attacks were spotted by IT experts. Among the affected agencies include the capital’s Traffic Department, public healthcare network, and even public schools serving over 4.5 million people in Greater Brasília. The University of Brasília has also reported similar attacks.
The attack raised major red flags within the Superior Electoral Court, as municipal elections are scheduled to take place on November 15. The court issued a statement saying it will beef up its data protection efforts to avoid any tampering with electoral data. It also clarified that Brazil’s electronic voting machines operate without being connected to the internet — and ballots are tallied through encrypted networks.
And one source within the federal government confirmed that General Augusto Heleno, the president’s chief security officer, has ordered a sweep of all networks used by Mr. Bolsonaro to identify any possible breach.
Brazil still unable to deal with sensitive data
Massive data breaches are nothing new in Brazil. In 2014, hackers used a phishing attack to invade Brazil’s Foreign Affairs Ministry’s internal communication system, stealing cables, email lists, passwords, and data from authorities in Brazil and abroad.
Three years prior, over 200 official websites were invaded — including those of the internal revenue services, Petrobras, the official statistics agency (IBGE), the Federal Police, and the presidency. IBGE data was accessed — and some was stolen — with official passwords of systems within the Sports Ministry being published online.
What this latest episode shows is that Brazil has learned nothing from its past mistakes and government systems remain highly vulnerable to malicious attacks. The hack comes just months after the country started to enforce its General Data Protection Law.
Fortunately for the hacked institutions, fines on data breaches (including against public bodies) will only be enforced late in 2021.
Additional reporting by Débora Álvares
This article was updated on November 5, 2020, at 6:30pm