Russian ransomware gang BlackCat claims to have hacked Ecuador’s army, posting data from a military agency on its victim blog. If confirmed, it will be the latest in a spate of attacks on government departments in South American countries, which have been noted for often having poor cyber defences.
BlackCat, also known as ALPHV posted the claims about the Ecuadorian Joint Command of the Armed Forces last night. It is part of the nation’s Ministry of Defense. The gang claims to have information on soldiers, as well as other confidential data and, at the time of writing, the Joint Command website is offline. It is not known if a ransom demand has been issued or paid.
BlackCat has been active since last year, and is thought to be made up of members of other notorious gangs such as REvil, BlackMatter and DarkSide.
Its most recent victims include NJVC, an IT services provider to the US Department of Defense. It posted data from the company to its blog last month, stating: “We strongly recommend that you contact us to discuss your situation, otherwise the confidential data in our possession will be released in stages every 12 hours.” It is not known if the company complied with BlackCat’s demands.
The FBI recently released an advisory, warning the private sector about the gang and posting indicators that systems have been hit by its malware, stating that, as of March, the gang “had compromised at least 60 entities worldwide”.
Ecuador Army ransomware attack is latest breach in South America
This is the latest in a spate of attacks on government agencies in South America this year. In May another Russian-speaking cybercrime gang, Conti, committed a major attack on Costa Rica’s government, disrupting the services of 27 departments including the ministry of finance. Costa Rican president Rodrigo Chaves said at the time that the country was “at war” with Conti and declared a state of emergency.
Peru, Mexico, Brazil and Argentina have all been attacked by Russian-speaking cybercrime gangs in 2022 so far, with security researchers suggesting these attacks have been linked to their support for Ukraine in the war. All four have “publicly condemned Russia for invading Ukraine at the United Nations General Assembly (UNGA). Some of these countries also voted to suspend Russia from the United Nations Human Rights Council in early April,” says a report from Recorded Future.
Governments lack resources to fight back
Countries in South America may have been targeted for political reasons, but many of them also have insufficient cyber defences, said Louise Ferrett, a researcher at security company Searchlight Security. “South America has had a pretty terrible time of it in terms of cyberattacks in the past few years. It’s all happening at once and it does seem like these countries are seen as low-hanging fruit, an easier option,” she told Tech Monitor earlier this year.
This could be due to their economic status, as most are middle-income and developing countries, says a report by the Royal United Services Institute (RUSI) think tank. These governments have fewer resources to fight back than those in the global north. “This may be prompting a shift towards gaining or purchasing access to victims in developing and middle-income countries that are unable or unwilling to respond forcefully, thereby reducing the risk of blowback and unwanted attention,” the report says.
Interpol has acknowledged the focus of cybercriminals on South America. The international policing agency announced a new working group in September to help countries in the region tackle the problem. “Countries across the region now face attacks ranging from business email compromise and online scams to ransomware and money laundering, “ Interpol said. the group met last month in Buenos Aires, bringing together over 90 participants from 32 member countries, four international organisations and 13 public and private bodies.