Cyber threat activity affects governments, businesses, and societies across Latin America and the Caribbean. Mandiant Threat Intelligence has observed financially motivated actors pursuing a variety of schemes in the region, including social engineering to trick individuals and businesses into transferring money to attacker-controlled accounts, and recruiting insiders at banks and telecommunications companies to facilitate money laundering and SIM swapping. State-sponsored actors linked to China, Russia, and Iran deploy cyber espionage and information operations to gather intelligence and persuade audiences to support their interests.
This blog post examines the specific threats and targets Mandiant observes in region.
Financially Motivated Threats
We judge that financially motivated cyber threat activity is very common and has a serious impact on individuals and organizations in Latin America and the Caribbean. In addition to campaigns by actors that operate globally, such as FIN11 and UNC2053, we also track activity by regional actors. During the past several years we have noted Brazilian cybercrime actors expand the geographic scope of their targeting to include North America and Europe. We also observed evidence of increased collaboration between the Brazilian cybercrime community and those of other Latin American countries, including Mexico and Peru. Both trends could increase the threat posed by regional actors as they gain access to additional resources and expertise.
Since at least 2017, ransomware incidents have steadily become more frequent and worldwide, and this trend has only accelerated during the coronavirus pandemic. Not only is ransomware more common, but threat actor innovations over the past several years have significantly increased the potential cost and damage of a ransomware infection. For example, throughout 2020, Mandiant Threat Intelligence observed threat actors incorporate data theft and extortion into ransomware operations, advertising stolen data on actor-operated websites.
We noted that advertisements for data stolen from Latin America and the Caribbean organizations during ransomware incidents increased 550% from the first quarter of 2020 to the first quarter of 2021. This activity affected many countries, most frequently Brazil, Mexico, and Colombia (see Figure 1), and nearly every industry category, including the manufacturing, retail, and energy & utilities sectors. We identified websites associated with more than 15 different varieties of ransomware advertising data allegedly stolen from regional organizations; PYSA, SODINOKIBI, and EGREGOR were among the most prolific. For more details, please download the report in Mandiant Advantage.
Figure 1: Percentage of ransomware data theft advertisements in LAC by country
While our observations suggest that state-sponsored campaigns in the region are less frequent than cybercrime, these operations have the potential to cause significant damage.
We have seen Chinese attackers engage in operations likely intended to monitor developments relevant to its Belt to Road initiative, which seeks to expand China’s trading routes. We noted multiple campaigns seeking to deploy EVILNUGGET malware against government targets, for example ahead of regional trade summits, as well as against construction and transportation entities.
We have also observed information operations associated with the Liberty Front Press network expressing support for Iran-sympathetic leaders in Venezuela and Bolivia.
Next Steps for CISOs
Latin America and the Caribbean face significant adversary activity, and organizations operating in the region should take steps to defend against and mitigate the effects of these threats. Best practices such as enforcing multifactor authentication, segmenting networks, regular patching, and adhering to the principle of least privilege can help reduce exposure to many common threat activity types. Tabletop exercises can also help security teams to identify potential gaps in their security architecture and emergency plans.
Organizations may also focus their efforts and using the actionable insights from Mandiant Threat Intelligence, available through Mandiant Advantage. Intelligence helps organizations achieve visibility across the threat landscape and prioritize threats that are most critical. We collect global Breach, Machine, Operational, and Adversarial intelligence to deliver the same real-time threat data and analytics on which our global experts rely.