Recorded Future detects escalation of ransomware attacks across LATAM government entities
Threat intelligence firm Recorded Future has identified several government entities in Latin America (LATAM) that have been affected by ransomware attacks, likely involving Russian or Russian-speaking hackers, beginning on or around April this year. The credibility of ransomware attacks on LATAM government entities is high, based on analysis of leaked sample data, threat actor indications, historical activities, patterns, and trends related to tracked ransomware operators and affiliates.
“If unaddressed, ransomware attacks on local, provincial, or federal government entities in LATAM could constitute a credible national and geopolitical security risk,” Recorded Future said in a post this week. “Entities in LATAM will remain attractive targets for ransomware operators and affiliates, as the region lacks the proper cybersecurity education, hygiene, and infrastructure to defend against such threats. If attacks on LATAM government entities were to escalate to target infrastructure and critical services, this would pose a significant national security risk,” it added.
The targeted countries include Costa Rica, Peru, Mexico, Ecuador, Brazil, and Argentina, all of which have publicly condemned Russia for invading Ukraine at the United Nations General Assembly (UNGA). In addition, some of these countries also voted to suspend Russia from the United Nations Human Rights Council (UNHRC) in early April 2022. Recently, national emergencies have been issued regarding these attacks, such as in Costa Rica.
Recorded Future also assessed that the most likely attack vectors employed by ransomware affiliates targeting LATAM government entities include using compromised valid credentials obtained via infostealer infection, initial access broker sale, or purchase on a dark web shop or marketplace. “The targeting of LATAM government entities could represent an initial shift away from internal cybercriminal policies on the targeting of governments worldwide,” the post added.
The firm observed at least four high-credibility ransomware gangs targeting LATAM government entities, including Conti, ALPHV, LockBit 2.0, and BlackByte. These incidents constitute a significant escalation in ransomware targeting. Generally, ransomware affiliates avoid targeting healthcare facilities, K-12 educational institutions, international organizations, and local, provincial, or federal governments.
“The risk of negative publicity and stigmatization on dark web and special-access forums, mainstream media attention, and international law enforcement activity increases dramatically once targets in these industries are attacked,” according to Recorded Future. “It is possible that the targeting of LATAM entities by presumably Russian or Russian-speaking ransomware gangs could mark the beginning of a paradigm shift in which targets previously internally sanctioned by the group could now become viable targets for ransomware operations,” the post added.
Recorded Future said that the most noteworthy of these targets is Conti’s attack on the government of Costa Rica, which resulted in the world’s first nationwide emergency declared as the result of a ransomware attack. The attack, likely perpetrated and publicized by ransomware affiliate or affiliate group ‘unc1756,’ also likely known as ‘wazawaka,’ has garnered widespread media and law enforcement attention.
Since affiliates often work independently from the larger ransomware ‘brand,’ it is possible that the attacks on Costa Rica that Conti claimed are not the work of the larger group, Recorded Future said. “Conti has claimed to have exfiltrated, encrypted, or destroyed approximately 1TB of sensitive information related to the administration and operations of several Costa Rican entities. Previous Conti posts also made vague references to controlling public utilities such as water and electricity, likely indicating indirectly that the group had access to Costa Rican industrial control system / supervisory control and data acquisition (ICS/SCADA) environments. However, we are not able to verify these claims,” it added.
On April 16, 2022, the ransomware gang ALPHV (BlackCat) leaked an unspecified amount of compromised data related to the Municipality of Quito, Ecuador (quito[.]gob[.]ec), Recorded Future said. “This marked the first time that ALPHV targeted a government entity located in LATAM. According to Ecuadorian media, this attack took several services offline for an unspecified amount of time,” it added.
“As of April 25, 2022, all of the information claimed to have been exfiltrated by ALPHV is available to download for free on a .onion domain provided on the public-facing ALPHV extortion website with the same name,” according to Recorded Future. Compromised information likely includes sensitive financial, legal, and political documents related to the operations and administration of the Municipality of Quito, Ecuador. It added that this information could damage Ecuador’s national security if leveraged by an opportunistic threat actor, criminal, or nation-state.
The firm also said that on May 23, 2022, the LockBit 2.0 ransomware gang published to their blog leaked files related to the Secretary of Health of the State of Morelos, Mexico (saludparatodos[.]ssm[.]gob[.]mx). This breach was initially disclosed on or around May 16, 2022. This disclosure followed a previous claim on April 22, 2022, that LockBit 2.0 had compromised the network of the Secretary of State for Finance of Rio De Janeiro, Brazil (fazenda[.]rj[.]gov[.]br), it added.
Recorded Future assessed that the compromised information likely includes sensitive financial, legal, and political documents related to the operations and administration of these entities. If leveraged by an opportunistic threat actor, criminal, or nation-state, this information could be damaging to Mexico and Brazil’s national security.
“On May 21, 2022, the BlackByte ransomware operators published claims on their public-facing extortion website named BlackByte Blog that they had compromised the internal network of the Comptroller General of the Republic of Peru (contraloria[.]gob[.]pe),” Recorded Future said. “As of April 25, 2022, the BlackByte ransomware operators have not published any noteworthy data related to this government entity. This attack has yet to be confirmed by any representatives of the Comptroller General of Peru and has not been extensively reported on in Peruvian or Spanish-language media,” it added.
As of this writing, “we cannot determine if this attack caused the disruption of critical services provided by the comptroller general, although it is likely that any detected service disruptions on the domain are related to this attack,” the post added.
Recorded Future has also anecdotally identified a noticeable increase in initial access brokerage (IAB) services on top-tier Russian-language dark web and special access forums, such as XSS and Exploit advertising, low-cost, compromised network access methods related to entities in LATAM. “We have also observed several high-profile database leaks related to entities in LATAM on low-tier and mid-tier English-speaking forums such as BreachForums, with data dumps spiking in April 2022,” it added.
Additionally, Recorded Future observed a significant increase in the sale of compromised credentials affecting LATAM government domains on dark web shops in the first and second quarters of this year, relative to last year. “These observations and trends could represent a paradigm shift in the ransomware and broader cybercriminal community related to ‘unwritten rules’ and internal group policies on the targeting of government entities,” the firm added.
In April, Recorded Future said that it observed likely network intrusions targeting at least seven Indian State Load Despatch Centres (SLDCs) responsible for carrying out real-time operations for grid control and electricity dispatch within these respective states.
Related
