In the first half of 2022, Costa Rica, Peru, Mexico, Ecuador, Brazil and Argentina were all targeted by Russian-speaking cybercriminal groups such as Conti. All of these countries had publicly condemned Russia at the UN for invading Ukraine, and some voted to suspend it from the UN Human Rights Council. Targets of cyber attackers include the Secretary of State for Finance of Rio de Janeiro, the Municipality of Quito in Ecuador, the Republic of Peru and Costa Rica. A state of national emergency was declared in Costa Rica after the government called a crippling attack an act of “cyberterrorism”. The Conti Group, which controversially supported the Russian state after its invasion of Ukraine, claimed responsibility for the attack, which resulted in the leak of 97% of the 672 GB of stolen data. He reportedly managed to compromise and install malware on a first network device belonging to the country’s Ministry of Finance, before collecting credentials from a virtual private network (VPN) that took him to the treasure trove of data.
This represents a significant escalation in the severity of attacks targeting government organizations. Like elementary and secondary schools, NGOs, and health organizations, governments have long been beyond the reach of ransomware affiliates, eager to avoid stigmatization and scrutiny by law enforcement. This position seems to have changed dramatically, which could have implications for governments around the world. If these groups now feel motivated to target a country critical of Russia, we could see the start of a dramatic increase in global incidents.
Ransomware targeting nation states
These include a long-running Iranian campaign against the ancient Albanian foe, which resulted in the July 2022 deployment of a disk-wipe and file-encryption system that wreaked havoc in the country. State actors had access to an Albanian government network for at least 14 months prior to the attack, during which time they stole and leaked sensitive documents. Initial access was gained by exploiting a vulnerability in SharePoint. Albania took the unprecedented step of cutting diplomatic ties with the Islamic Republic after this incident, which led to another attack in September 2022.
The former Yugoslav states of Montenegro and Bosnia and Herzegovina have also been victims of serious cyber attacks. The first is a “sustained and ongoing” campaign that first blamed the Montenegrin government on Russian state actors, before blaming the Cuba ransomware variant. The small Balkan country once had close ties with Moscow before joining NATO in 2017, and the attack came after a critical vote of no confidence in the government.
Last September, there was another ransomware attack targeting the government of Bosnia and Herzegovina, which was paralyzed for weeks. Faced with the parliament’s website going down and the main server going down, lawmakers were unable to access their email. While no attribution has been made so far, it is clear that Russia has a lot to gain by destabilizing the region, either directly or through the cybercriminal groups it harbors.
What attack techniques
Most of the organizations targeted by the first wave of attacks in Latin America appear to have been affected after attackers got their hands on compromised credential pairs and session cookies. They are usually obtained through targeted “infostealer” infections during phishing attacks and are sold by IABs. This highlights the relative immaturity of the public and private sector cybersecurity situation in the region. However, claims phishing is a universal problem that, in theory, can affect literally any organization, regardless of its security status.
Use best practices
Latin American governments should take a long-term look at education, training and internship programs to help build resources, fill cyber skills gaps and attract more people to the world. At the same time, like other countries, they need to strengthen their resilience against ransomware by adopting a set of best practices. This ranges from verifying incident response plans to validating the proper functioning of tools such as Intrusion Detection Systems (IDS) and Endpoint Detection and Response Systems (EDR). Network segmentation is also important because it helps limit the “reach” of a breach and protect organizational gems once attackers gain access to the network. Multi-factor authentication can help mitigate the potential impact of credential theft, while enhanced patching is an essential cyber hygiene best practice that reduces the scope of enterprise attacks.
These best practices should be coupled with more detections and better responses to address them. Threat intelligence, which includes current ransomware IoCs (Indicators of Compromise) and ransomware-related “Sigma Rules” signature files, combined with identity and certificate monitoring, also enables network security teams to always be one step ahead. Since the beginning of this year, ransomware activity appears to have increased significantly compared to 2021. According to a June 2022 estimate, the first quarter of 2022 alone saw more detections than the previous year. With the darkening of the geopolitical situation since last February and the Putin regime’s more combative rhetoric, things could get worse before it gets better. Understanding and managing cyber risk has never been more important.
- The difference between backup solutions and anti-ransomware tools
- US Sanctions Iran for Cyberattacks on Albania
- The BlackMatter Threat and Conti Ransomware
- Advances in Cloud Security, New Stronghold in the Fight Against Ransomware
- Why cyber resilience is essential