{ "id": "ec3f7922-149f-4280-a076-ad124f1ae9bb", "created_at": "2026-04-06T00:22:16.504499Z", "updated_at": "2026-04-10T03:28:46.823752Z", "deleted_at": null, "sha1_hash": "9515adca0e46ca3008a356fb833f0208e6078f9a", "title": "Lapsus$ ransomware gang hits SIC, Portugal's largest TV channel", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 150247, "plain_text": "Lapsus$ ransomware gang hits SIC, Portugal's largest TV channel\r\nBy Catalin Cimpanu\r\nPublished: 2023-01-09 · Archived: 2026-04-05 14:36:33 UTC\r\nThe Lapsus$ ransomware gang has hacked and is currently extorting Impresa, the largest media conglomerate in\r\nPortugal and the owner of SIC and Expresso, the country's largest TV channel and weekly newspaper,\r\nrespectively.\r\nThe attack has taken place over the New Year holiday and has hit the company's online IT server infrastructure.\r\nWebsites for the Impressa group, Expresso, and all the SIC TV channels are currently offline.\r\nNational airwave and cable TV broadcasts are operating normally, but the attack has taken down SIC's internet\r\nstreaming capabilities.\r\nThe Lapsus$ group took credit for the attack by defacing all of Impressa's sites with a ransom note (pictured at the\r\ntop of this article). Besides a ransom request, the message claims that the group has gained access to Impresa's\r\nAmazon Web Services account.\r\nImpresa staff appeared to have regained control over this account earlier today when all the sites were put into\r\nmaintenance mode, but the attackers immediately tweeted from Expresso's verified Twitter account to show that\r\nthey still had access to company resources.\r\nhttps://therecord.media/lapsus-ransomware-gang-hits-sic-portugals-largest-tv-channel/\r\nPage 1 of 3\n\nThe Impresa attack is one of the largest cybersecurity incidents in Portugal's history. Impresa is, by far, the\r\ncountry's largest media conglomerate.\r\nAccording to September 2021 TV ratings, SIC and all its secondary channels dominate the TV market, while\r\nExpresso has the largest circulation numbers for weekly periodicals. Nonetheless, Impressa also owns many other\r\nmedia companies and magazines, all of which are currently most likely impacted by the attack as well.\r\nPrior to the Impressa attack, the Lapsus$ group has also hacked and ransomed Brazil's Ministry of Health, and\r\nClaro and Embratel, two South American telecommunication providers.\r\nMembers of the Lapsus$ group have not returned a request for comment sent via email. An Impresa spokesperson\r\nrefused to comment on the attack.\r\nThis is the second ransom attack over the winter holiday that has hit a media conglomerate after the Ryuk gang hit\r\nTribune Publishing, owner of the LA Times, in December 2018.\r\nDespite warnings from US and German authorities, cyberattacks did not make too many waves during the recently\r\npassed winter holidays.\r\nhttps://therecord.media/lapsus-ransomware-gang-hits-sic-portugals-largest-tv-channel/\r\nPage 2 of 3\n\nCatalin Cimpanu\r\nis a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement\r\nactions against hackers.\r\nSource: https://therecord.media/lapsus-ransomware-gang-hits-sic-portugals-largest-tv-channel/\r\nhttps://therecord.media/lapsus-ransomware-gang-hits-sic-portugals-largest-tv-channel/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://therecord.media/lapsus-ransomware-gang-hits-sic-portugals-largest-tv-channel/" ], "report_names": [ "lapsus-ransomware-gang-hits-sic-portugals-largest-tv-channel" ], "threat_actors": [ { "id": "be5097b2-a70f-490f-8c06-250773692fae", "created_at": "2022-10-27T08:27:13.22631Z", "updated_at": "2026-04-10T02:00:05.311385Z", "deleted_at": null, "main_name": "LAPSUS$", "aliases": [ "LAPSUS$", "DEV-0537", "Strawberry Tempest" ], "source_name": "MITRE:LAPSUS$", "tools": [ "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "d4b9608d-af69-43bc-a08a-38167ac6306a", "created_at": "2023-01-06T13:46:39.335061Z", "updated_at": "2026-04-10T02:00:03.291149Z", "deleted_at": null, "main_name": "LAPSUS", "aliases": [ "Lapsus", "LAPSUS$", "DEV-0537", "SLIPPY SPIDER", "Strawberry Tempest", "UNC3661" ], "source_name": "MISPGALAXY:LAPSUS", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2347282d-6b88-4fbe-b816-16b156c285ac", "created_at": "2024-06-19T02:03:08.099397Z", "updated_at": "2026-04-10T02:00:03.663831Z", "deleted_at": null, "main_name": "GOLD RAINFOREST", "aliases": [ "Lapsus$", "Slippy Spider ", "Strawberry Tempest " ], "source_name": "Secureworks:GOLD RAINFOREST", "tools": [ "Mimikatz" ], "source_id": "Secureworks", "reports": null }, { "id": "52d5d8b3-ab13-4fc4-8d5f-068f788e4f2b", "created_at": "2022-10-25T16:07:24.503878Z", "updated_at": "2026-04-10T02:00:05.014316Z", "deleted_at": null, "main_name": "Lapsus$", "aliases": [ "DEV-0537", "G1004", "Slippy Spider", "Strawberry Tempest" ], "source_name": "ETDA:Lapsus$", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434936, "ts_updated_at": 1775791726, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9515adca0e46ca3008a356fb833f0208e6078f9a.pdf", "text": "https://archive.orkl.eu/9515adca0e46ca3008a356fb833f0208e6078f9a.txt", "img": "https://archive.orkl.eu/9515adca0e46ca3008a356fb833f0208e6078f9a.jpg" } }