In light of the recent cyberattacks on the Agência para a Modernização Administrativa (AMA), we spoke with INESC-ID researcher Ricardo Chaves, from High-performance Computing Architectures and Systems.

Cyberattacks are becoming increasingly frequent, as was the case with the attack on AMA. Why is that?
Cyberattacks are becoming more frequent, whether motivated by financial issues or political or ideological reasons. Ransomware attacks, such as the one on AMA, are typically financially motivated. The more valuable the target, the higher the potential gain for the criminal. In AMA’s case, we are talking about critical infrastructure responsible for one of the most essential processes in the electronic world—individual identification and authentication. Specifically for AMA, this involves citizen identification, not only in relation to state services but also the entire civil society that links a service to a person’s identity. Compromising this essential service means compromising the entire chain dependent on it, which explains the impact of this attack.

Why did it take so long—over a week—to restore all functionalities?
In this type of attack, the criminal blocks access to the data and, consequently, to the correct functioning of the system, then demands money for unlocking it. Typically, the attacker encrypts the data with a cryptographic key known only to them, and only after payment is this key provided, allowing the victim to decrypt and regain access to their data. In these situations, there are two main ways to recover. One is to pay the attacker, thus encouraging this kind of attack. The other is to have the capability to restore the entire system using functional system backups.
In this case, the State, in my view wisely, did not pay. This left the option of restoring the system, though it appears that no functional backup was ready to immediately go online. They likely had to configure parts of the system, involving a thorough process of verification and credentialing to ensure that it could be safely and effectively restored for such a critical service.

Should citizens be concerned about the consequences of this attack and future attacks?
Although I am not familiar with the specific infrastructure used by AMA, this type of service is generally divided into two main layers: the interface layer, known as the frontend, and the server layer, known as the backend. The frontend handles the outside world, receiving user requests and interacting with the backend’s functional components. The frontend, by nature, is the most exposed part of the service and consequently more susceptible to attack. The backend runs functional processes related to identity management and citizen authentication.
To ensure a very high level of security, the critical core of the authentication process is handled in systems known as HSMs, or Hardware Security Modules. HSMs are very robust, simple-operating components where the cryptographic keys associated with each citizen are stored and used, never leaving these components. The simplicity of these components allows them to be designed to withstand almost any physical or logical attack, achieving an extremely high security level. It is therefore highly unlikely that these systems have been compromised.

What can we, as citizens, do to prevent this from happening again?
There is little that individual citizens can do to prevent this type of attack. However, we should always be aware of the risks and act to avoid unnecessary exposure. At a national level, we can exert political pressure to encourage greater investment in security and in the people who ensure it. Only with investment can we build more resilient infrastructures ready for the increasing number of cyberattacks. In the case of AMA and similar services, preparation is crucial. While we cannot prevent such attacks from recurring, we must be prepared for immediate recovery, such as having backup systems ready to take over when the main system goes down. Naturally, this comes at a cost, but as we saw with this attack, the cost of downtime is far greater.