Impresa media group ransomware attack

The Lapsus$ group seized the Amazon Web Services account of Impresa, Portugal's largest media conglomerate, knocking the Expresso newspaper and SIC television channels offline, defacing their websites and hijacking Expresso's verified Twitter account in what authorities called the country's largest ransomware attack.

In the opening hours of 2022, the Lapsus$ extortion group struck Impresa, Portugal's largest media conglomerate and owner of the weekly newspaper Expresso and the SIC family of television channels. By seizing control of Impresa's cloud infrastructure, the attackers silenced two of the country's most influential newsrooms and turned their own platforms into ransom billboards.

What happened

Over the New Year's weekend, Lapsus$ compromised Impresa's Amazon Web Services (AWS) account — the backbone hosting the group's websites and digital publishing systems. With that access, the attackers defaced every Impresa property, replacing the Expresso and SIC homepages with a ransom note announcing that the company's data was in their hands.

The intrusion went beyond defacement. Lapsus$ hijacked Expresso's verified Twitter account, using it to mock the outlet — including a tweet declaring the group "the president of Portugal" — and sent text messages to Expresso subscribers to amplify the breach and pressure the company. Impresa publicly urged its audiences not to open or forward any communications appearing to come from its brands, since the attackers were impersonating them.

Impact

The websites of Impresa, Expresso and the SIC channels were knocked offline and remained down for days into the new year.
Expresso lost access to internal data and its digital archives, which held decades of its own journalism as well as content from other titles, severely hampering its ability to publish.
Live TV broadcasts on SIC were disrupted around the attack, and the newsroom had to improvise publishing through social channels and a temporary site.
Portuguese authorities characterised the incident as the largest ransomware attack in the country's history.

No ransom payment was reported, and the attack centred on disruption, extortion pressure and reputational humiliation rather than confirmed mass data exfiltration of customer records.

Attribution

Lapsus$ claimed the attack directly through its ransom note and the hijacked accounts. The group — later linked to a cluster of young, English-speaking actors operating largely through social engineering and account takeover — went on to breach major technology firms including Nvidia, Samsung, Microsoft and Okta in early 2022. The Impresa hit was one of its first high-profile operations and established its signature mix of brazen public taunting and cloud-account compromise.

Why it matters

The Impresa breach showed how a single compromised cloud account can take down an entire national media group, and how press freedom becomes collateral when newsrooms are targeted. By weaponising Impresa's own verified social channels, Lapsus$ demonstrated that the reputational and disinformation dimensions of an attack can rival the technical disruption — a warning that media organisations are high-value targets whose trusted platforms can be turned against their audiences.

Timeline

January 1, 2022

Over the New Year's weekend, the Lapsus$ group breaches Impresa, compromising its Amazon Web Services account.

January 2, 2022

Expresso's and SIC's websites are defaced with a Lapsus$ ransom note; the attackers hijack Expresso's verified Twitter account and send messages to subscribers.

January 4, 2022

The websites of Impresa, Expresso and the SIC channels remain offline days into the new year as the company warns audiences to ignore fraudulent communications.

January 7, 2022

Impresa gradually restores services; Portuguese authorities describe the incident as the largest ransomware attack in the country's history.

Sources

threatpost.comhttps://threatpost.com/portuguese-media-giant-impresa-ransomware/177323/

cyberscoop.comhttps://cyberscoop.com/portugal-expresso-sic-impresa-ransowmare-lapsus/

securityaffairs.comhttps://securityaffairs.com/126236/cyber-crime/impresa-lapsus-ransomware.html

ipi.mediahttps://ipi.media/portugals-expresso-newspaper-still-recovering-from-debilitating-ransomware-attack/

Related incidents

Social engineeringResolvedSeptember 18, 2022

Rockstar Games GTA VI leak (Lapsus$)

A teenage Lapsus$ member breached Rockstar Games' internal Slack and developer systems via social engineering, then leaked roughly 90 in-development clips of the unreleased Grand Theft Auto VI — one of the largest leaks in video-game history.

Victim: Rockstar Games (Take-Two Interactive)
Loss: $5.0M

RansomwareResolvedAugust 26, 2022

TAP Air Portugal ransomware breach

The Ragnar Locker ransomware gang breached Portugal's flag carrier, exfiltrating and later publishing 581 GB of data on roughly 1.5 million customers, exposing names, dates of birth, addresses and contact details for over 5 million email accounts.

Victim: TAP Air Portugal
Records: 1.5M

RansomwareRansom paidJune 8, 2024

KADOKAWA / Niconico BlackSuit ransomware (2024)

Phishing access let BlackSuit (Russian-linked) encrypt KADOKAWA's infrastructure and the Niconico video-sharing platform, taking services offline for two months. KADOKAWA paid ~$2.9M in cryptocurrency — and BlackSuit leaked the stolen 1.5 TB anyway.

Victim: KADOKAWA Corporation
Loss: $2.9M
Records: 254.2K

Social engineeringContainedSeptember 15, 2022

Uber Lapsus$ social-engineering breach

An 18-year-old affiliated with Lapsus$ socially engineered an Uber contractor, defeated MFA through an hour-long push-bombing campaign, then found hardcoded admin credentials on an internal share that unlocked Uber's AWS, G-Suite, Slack, and HackerOne dashboards.

Victim: Uber Technologies