The Surge in Cyber Attacks on Latin American Governments

Latin America, a region bustling with potential and promise, has witnessed a worrying trend of escalating cyber threats directed at government entities. This surge in cyber attacks threatens the integrity of government databases and systems and unveils glaring vulnerabilities within the governmental infrastructure, necessitating a shift in the region’s cybersecurity approach.

For instance, on June 17, 2023, a threat actor named SiegedSec shared a post about an alleged leak from several organizations within the Colombian Government, such as the Government of Cauca, Integrated Health Services Network of the Southwest, and Autonomous Regional Corporation of Magdalena. The leaks allegedly include intranet documents, databases, user information, and organization details. Unfortunately, this is not an isolated incident but part of ongoing attacks targeting Latin American governments.

Recent Cyber Attacks in Latin America

A comprehensive review of government hacking activities in Latin America by the Electronic Frontier Foundation revealed an increase in cyber-attacks throughout 2022. Government entities across various nations, including Ecuador, Chile, Colombia, and Costa Rica, fell victim to disruptive ransomware attacks, thus exposing the extent of their cyber vulnerabilities. In Costa Rica, the situation was so severe that it led to the President declaring a national emergency – a testament to the havoc such attacks can wreak.

The review spotlights two groups at the forefront of these aggressive cyber exploits: the ransomware group Conti and the hacktivist group Guacamaya. Conti focused its attacks on Costa Rica and the Intelligence Division of Peru’s Ministry of Interior, while Guacamaya leaked emails from various military institutions across Latin America. These leaks revealed repression and invasive surveillance within the region, causing a stir in the international community.

A report by the Insikt Group, which also focuses on recent attacks on Latin America, tracks ransomware groups such as ALPHV (BlackCat), LockBit 2.0, and BlackByte. These groups have caused significant disruption of services and potentially compromised sensitive data.

Despite the presence of national cybersecurity strategies, there are still notable gaps in capacity and security posture, leaving many Latin American countries vulnerable to such attacks. For instance, BlackCat leaked data from the Municipality of Quito, Ecuador, marking their first assault on a Latin American government entity. This attack led to the suspension of essential government services, causing inconvenience to many as they were unable to carry out procedures.

SOCRadar Dark Web Analysis and Insights

Leveraging our comprehensive threat intelligence capabilities at SOCRadar, we have been monitoring and analyzing the dark web for potential cyber threats against Latin American governments. Our research focuses on threat actors -especially ransomware groups-, their activities, and chatter related to Latin America.

Our scope in our analysis was between June 2021 through May 2023. Our data reveal a marked increase in posts relating to Latin American countries. In these discussions, we identified Brazil, Mexico, Argentina, Colombia, and Peru as the most frequently targeted countries. This indicates the increased interest in cyber criminals in the region, reflecting the rising number of attacks on these countries.

The dark web represents a significant portion of the internet, hidden from conventional search engines and only accessible through special software such as Tor. It’s a hotspot for illegal activities, including cybercrime. At SOCRadar, we consistently monitor and analyze dark web posts, particularly those involving potential cyber threats against government systems.

In the context of Latin America, we’ve noticed a steady growth in the number of dark web posts over the past two years, from just 6 posts in June 2021 to a peak of 33 posts in January 2023. This increasing trend underlines the growing interest of cybercriminals in the region. Analysis of the data also reveals that the total number of dark web posts relating to these attacks rose from a monthly average of 12.43 in 2021 to 20.8 in 2023. Among the various attack types, the posts predominantly involved the selling or sharing of compromised data or databases.

Sharing Data/Database (49.64%): These posts involve threat actors sharing stolen or hacked data from Latin American government databases. It’s particularly concerning because the shared data often contains sensitive information, which could be used for identity theft, financial fraud, or as an initial access point for further cyber attacks.

Selling Data/Database (47.20%):Nearly as common are posts where cybercriminals are sharing data or access to compromised databases. This points to a thriving underground economy where data and access to systems are traded like commodities.

Hack Announcements (2.19%):Hack announcements are posts where a hacker or a group announces a successful breach. These posts serve as a form of advertisement for the hackers’ skills or services and often precede data leaks.

Buying Data/Database (0.73%) & Partnership/Cooperation/Offer (0.24%):Though less common, there are still posts where threat actors are looking to buy data or establish partnerships for potential cyber attacks.

Activities of Ransomware Groups

In a specific focus on ransomware groups, our research identifies a clear trend: groups like LockBit 2.0 & 3.0, BlackByte, and Conti are notably active within the Latin American region. During the defined time frame of our study, SOCRadar analysts tracked 469 instances of shared information related to distinct industries in Latin America. Of these, 36 cases pertained to the Public Sector, while 34 targeted a specific Latin American country.

Upon analyzing the subject of the shares, it is evident that out of the 36 instances, 23 (nearly 64%) were used to announce the victims. Despite this, data from only 13 out of these 23 victims was exposed by the ransomware groups. Thus, it can be inferred that ten victims may have successfully negotiated some form of agreement with their respective ransomware attackers.

It’s essential to observe that the prevalence and complexity of ransomware attacks worldwide, specifically within the region, are on an upward trend. Ransomware types have developed to utilize more sophisticated strategies like double extortion. In such scenarios, attackers immobilize the victim’s data through encryption and threaten to release the stolen data online. This method further amplifies the compulsion on the victims, nudging them towards the ransom payment.

While these statistics and reports are undoubtedly concerning, they underline the pressing need for strategic investments in IT security education, training, and infrastructure across the region. As noted by the Council on Foreign Relations, although progress in cybersecurity has been inconsistent, there are opportunities to turn the tide. Countries like Brazil and Chile, the region’s cyber-capable nations, are urged to advance regional cybersecurity cooperation.

Even though most Latin American countries have developed national cybersecurity strategies, significant gaps exist in capacity and overall security posture. Despite commendable efforts by countries such as Brazil, the Dominican Republic, and Mexico, there is a need for substantial improvements, particularly in the areas of IT security education and training.

It’s time for Latin America to reinforce its cybersecurity structures, moving towards a more secure and resilient future!