Vodafone Portugal network sabotage

Late on 7 February 2022, Vodafone Portugal suffered a sweeping network failure that the operator quickly attributed to "a deliberate and malicious cyberattack intended to cause damage and disruption." Rather than a data theft, this was a destructive sabotage event that severed connectivity for millions of people across Portugal and rippled into emergency and essential services.

What happened

The attack struck Vodafone's core network infrastructure on the evening of 7 February, knocking out services that depend on the data network: the 4G and 5G mobile network, fixed voice, SMS, television, and digital/voice customer-care channels. Vodafone Portugal serves more than four million mobile subscribers and roughly 3.4 million fixed home and business internet customers, so the blackout was felt nationwide almost immediately.

Vodafone did not publish technical detail on the intrusion vector, but the pattern — widespread system unavailability requiring days of rebuilding rather than a quick reboot — was consistent with a destructive attack against network management systems. The company emphasized that the operation appeared aimed squarely at causing disruption, not at extracting a ransom or exfiltrating data.

Impact

Millions of individuals, businesses and public bodies lost mobile and fixed connectivity. Reports noted knock-on effects on ambulance services, fire departments, hospitals and ATM networks that relied on Vodafone links.
Mobile voice was recovered across most of the country within about a day, but mobile data was initially available only over the legacy 3G network.
Restoration of 4G data began on 9 February, with services progressively re-established over the following days.
Vodafone stated it found no evidence that customer data was accessed or compromised.

Attribution

No threat actor publicly claimed responsibility, and Vodafone never named one. The Lapsus$ group, which had hit Portuguese media conglomerate Impresa weeks earlier, did not take credit. The absence of a ransom note or leak-site listing kept the incident in the category of anonymous network sabotage rather than financially-motivated ransomware.

Why it matters

The Vodafone Portugal outage is a stark illustration of telecom networks as critical national infrastructure. A single carrier-level compromise degraded emergency response, payment systems and everyday communications for a large share of a European country — without any data being stolen. It reinforced regulatory attention on operator resilience and incident response in the EU, where the NIS framework treats telecom providers as essential entities precisely because a deliberate outage can cascade into public-safety risk far beyond the company's own customers.

Timeline

February 7, 2022

A deliberate cyberattack hits Vodafone Portugal's network late in the evening, taking 4G/5G data, fixed voice, SMS and TV services offline nationwide.

February 8, 2022

Vodafone publicly confirms the incident as 'a deliberate and malicious cyberattack intended to cause damage and disruption'; mobile voice is largely restored and data runs only on 3G.

February 9, 2022

Restoration of 4G mobile data services begins as engineers rebuild affected systems.

February 10, 2022

Most services are progressively re-established; Vodafone reports no evidence that customer data was accessed.

Sources

vodafone.pthttps://www.vodafone.pt/en/press-releases/2022/2/cyberattack-on-vodafone-portugal.html

bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/vodafone-portugal-4g-and-5g-services-down-after-cyberattack/

therecord.mediahttps://therecord.media/cyberattack-brings-down-vodafone-portugal-mobile-voice-and-tv-services

portswigger.nethttps://portswigger.net/daily-swig/cyber-attack-at-vodafone-portugal-knocks-mobile-network-services-offline

securityaffairs.comhttps://securityaffairs.com/127799/cyber-crime/vodafone-portugal-massive-cyberattack.html

Related incidents

sabotageunresolvedJune 27, 2022

Iranian steel plants cyber-sabotage

Predatory Sparrow compromised industrial control systems at three major Iranian steelmakers, halting production and — in CCTV footage the group released — causing a machine at Khouzestan Steel to spew molten metal and fire across the factory floor.

Victim: Khouzestan Steel, Mobarakeh Steel & Hormozgan Steel

Vulnerability exploitContainedSeptember 22, 2022

Optus customer data breach

An unauthenticated API endpoint exposed personal data of 9.8 million current and former Optus customers — names, dates of birth, passport and driver's licence numbers — to a single anonymous attacker.

Victim: Optus (Singtel)
Loss: $140.0M
Records: 9.8M

RansomwareResolvedAugust 26, 2022

TAP Air Portugal ransomware breach

The Ragnar Locker ransomware gang breached Portugal's flag carrier, exfiltrating and later publishing 581 GB of data on roughly 1.5 million customers, exposing names, dates of birth, addresses and contact details for over 5 million email accounts.

Victim: TAP Air Portugal
Records: 1.5M

WiperContainedFebruary 24, 2022

Viasat KA-SAT AcidRain wiper

One hour before Russia's invasion of Ukraine, Sandworm operators deployed the AcidRain wiper against Viasat KA-SAT satellite modems, bricking ~30,000 European terminals and 5,800 German wind turbines and disabling Ukrainian military command-and-control.

Victim: Viasat KA-SAT (subscribers across Ukraine and Europe)
Loss: $100.0M