Cyber Exploration: The Geostrategic Quest of APT Groups in LATAM

By Beatriz Pimenta Klein & Claire McKenzie Robertson

This Research is the first part of the AdvIntel LATAM Series. To see other blogs within this series please visit:

Part 1: Latin America Threat Landscape: The Paradox of Interconnectivity

Key Takeaways:

  • Latin American countries do not usually resort to APT (Advanced Persistent Threat) groups - state-sponsored actors who carry out cybercriminal activities to obtain strategic advantages. This is not a common practice in the region, but this reality may change in the near future. The growing interconnectivity of the region and the increase of highly skilled hacking groups can create an environment for the development of APT groups, especially in this new era of digital politics in the region.

  • The main hypothesis developed around the above-mentioned geopolitical trend of APT attacks in LATAM is that these criminal groups are interested in proprietary technologies, intellectual property, business processes, and other sorts of sensitive information. This data could be used to benefit other companies and governments, and these advantages might be financial and/or strategic.

  • One of the main purposes of state-sponsored threat activity is to carry out data theft. Whether the chosen target was selected due to their competing standing in the global economy or their perceived weakness, an interesting observation can be made about the threat groups originating from the three non-LATAM countries exemplified. The chosen targets of the countries studied largely fall into three categories: the financial sector, political bodies, and, to a lesser extent, the energy sector.

  • An intriguing similarity between infection methods employed in the region reveals that the APT groups do not necessarily resort to highly sophisticated or innovative tools. In effect, the case studies demonstrate that these groups employ rather well-known malware variants whose infection vectors are usually related to phishing emails with an infected downloadable file. The malware variants employed have several surveillance and espionage capabilities that are relied upon in the long-run. The employment of unremarkable techniques typifies the dangerous vulnerability displayed by strategic agencies in Latin American countries, which represents an alarming issue to their national and regional security.


In 2013, global news networks extensively covered the US government’s campaign of State espionage. The whistleblower, Edward Snowden, a former CIA agent, was responsible for leaking confidential files that revealed a scheme of surveillance conducted by the National Security Agency not only in the North American territory but also abroad - in Europe and in Latin America. Latin American countries such as Brazil, Mexico, Venezuela, Argentina, Colombia, and Ecuador were targets of this operation, and their military and energy affairs were the main points of interest of the surveillance operations.

The Snowden episode was a watershed moment for cybersecurity and cyber defense in Latin America. The Armed Forces, State agencies, and embassies were all put on alert concerning their strategic and sensitive data.

Latin American countries do not usually resort to APT (Advanced Persistent Threat) groups - state-sponsored actors who carry out cybercriminal activities to obtain strategic advantages. This is not a common practice in the region, but this reality may change in the near future. The growing interconnectivity of the region and the increase of highly skilled hacking groups can create an environment for the development of APT groups, especially in this new era of digital politics in the region.

Despite the lack of documentation concerning any Latin American state-sponsored APT groups, the region is not shielded from the activity of this type from threat actors. Even if these groups are not (or no evidence has yet been found) state-sponsored, some of them are born in the region. Some examples of APT groups that have conducted campaigns in and are believed to be from the region are Machete, APT-36 (aka Blind Eagle), Careto, Poseidon, and Packrat. Additional to other group identification challenges, due to the widespread use of Spanish in LATAM, it is problematic to identify exactly where these groups might be operating.

Yet, there are extra-regional groups that may also conduct campaigns against Latin American public and private institutions - such as the allegedly Chinese Ke3chang. Threat group activity that may be attributed to Russia and North Korea have also been recorded affecting LATAM entities. Specific groups commonly attributed to Russia, such as APT28 (a.k.a. Fancy Bear) and North Korea’s Lazarus Group, have recently turned their attention to Latin American entities.

The Latin American cyber threat landscape has observed a crescent trend in financially-motivated cybercrime. However, cyber threats related to strategic interests are incipient events in the region. APT groups do not employ traditional simple cybercriminal tools to obtain quick financial advantages. Instead, they design long campaigns, employing complex and efficient processes to maximize their gains - be it financial, intellectual, or strategic gains.

Geopolitical Trends

Latin America is a rich region in terms of raw materials, energetic sources, mineral resources, and pharmacological potential. These resources are highly determinatives in what regards the strategic and economic importance of LATAM. Combining these factors with the lack of a robust apparatus of regional and national cyber defense, LATAM experiences a dire vulnerability in what regards potential advanced persistent threats. Even the fast-growing digital financial sector is a relevant prospective victim to these sorts of threats.

Indeed, the major incidence of APT attacks in the region regard energy sources: 34% of the attacks targeted the sectors of Chemical Products/Manufacturing/Mining. This percentage is significantly higher than the ones portrayed by the same sectors elsewhere in the world. This is probably due to the divergent comparative relevance of the sector across regions. APT attacks against Latin American local/regional governments correspond to 12% of all occurrences, which is the same percentage as attacks against the financial system. Attacks against Federal governments correspond to 10% of all attacks.

The main hypothesis developed around the above-mentioned geopolitical trend of APT attacks in LATAM is that these criminal groups are interested in proprietary technologies, intellectual property, business processes, and other sorts of sensitive information. This data could be used to benefit other companies and governments, and these advantages might be financial and/or strategic.

Case studies

Five APT groups that are believed to be authentically Latin American were selected to illustrate this analysis: Machete, APT-36 (aka Blind Eagle), Careto, Poseidon, and Packrat.

Machete: Among the First Latin American APT State-Sponsored Groups

Machete (also called Ragua) is a cyber-espionage campaign employed by a group operating under the same name. The group has still not been officially identified, so it is not possible to affirm that it is indeed an APT group, but their actions suggest that it might be the case. The first campaign was identified in 2014, but the group is said to be active at least since 2010. In these years, campaigns have been slightly altered regarding capabilities, but their purpose remains the same.

Machete targets mainly Spanish-speaking countries, and when it targeted other countries (such as Russia), the targets were the embassies of Spanish-speaking countries. The code of the Machete malware is also in the Spanish language, which denotes that it is highly probable that the threat actors behind it come from a Latin American, Spanish-speaking country. The most attacked countries were Venezuela, followed by Ecuador and Colombia. Between March and May 2019, at least 50 infected computers in Venezuela were identified to be contacting the Machete command-and-control servers.

The campaign targets mostly political and military-related victims. Through the use of phishing emails, and, to a lesser extent, infected fake blogs, the campaign targets victims interested in military information (such as the movement of troops, for instance) or in national political topics. These phishing emails usually contain external links to websites where the victim can download the piece of malware. Once infected, Machete has cyberespionage capabilities that include keylogging (recording keystrokes), capturing screenshots, audio, webcam pictures, stealing and encrypting documents from local and removable drives - all over an extended period of time. These capabilities allow not only espionage and surveillance, but potentially extortion, too.

It is known that the group behind Machete is looking for military sensitive information - collecting intelligence data. They are interested in files that detail navigation routes/positioning using military grids.

All of the above-mentioned characteristics, namely the nature of the victims (political/military), the geolocation (Latin American countries), the tools employed (cyberespionage malware), and the operations’ duration indicate that Machete is probably an APT group state-sponsored by a Latin American country.

Blind Eagle, APT Group with Pro-Maduro Hacking Activities

The crisis in Venezuela, ongoing since 2013, has had diverse spin-offs. Their internal situation produced an international reaction to the crisis: mainly through economic sanctions, other countries have interfered in the Venezuelan internal affairs. However, the digital era has also fostered a cyber response to political matters: APTs.

Blind Eagle, also called APT-C-36, is an APT group that has been active since April 2018 and whose target is Colombian official institutions. Due to the time of activities, and the use of the Spanish language in the malware variants employed, it is very likely that the group originates in a Southern American country. However, other sources claim that, due to some specificities, such as the time zone in which the group operates (GMT -5, the Colombian time zone), and their modus operandi, the group is Colombian.

The group has been conducting attack campaigns since late 2018, and their main targets are Colombian official agencies: the Colombian National Institute for the Blind, the Bank of Colombia, Ecopetrol (Colombian Petroleum Co.), and the Banco Agrario (a State financial institution). Yet they have also targeted other sectors, such as the privately-owned IMSA (a Colombian wheel manufacturer).

Through the use of phishing emails, the cybercriminals pose as Colombian institutions, such as the Colombian National Cyber Police and the Office of the Attorney General. These emails contain links to a website where the victims should download a .rar file, that will implant a malware variant - that can be LimeRat, or, more frequently, Imminent Monitor Rat (IM-RAT), both of which are remote access trojan variants. Both of these malware variants were not developed by the cybercriminals behind Blind Eagle, they are both public malware codes. These trojans have surveillance and espionage capabilities, and IM-RAT specifically has the following features: audio/video capturing, live keylogging, disabling of anti-virus and anti-malware software, file/process managing, file decoding, resource hijacking (especially related to cryptocurrency mining), and more.

Using these remote access trojan variants, the group can steal intellectual property to harm Colombia. Pieces of evidence also suggest that the motivation behind the targeted attacks specifically against Colombia has to do with the Colombian opposition to the Venezuelan Maduro regime. Some sources point out that these pro-Maduro hacking activities may indicate that Blind Eagle originated in Venezuela or in a country that supports Nicolas Maduro, such as Bolivia, Nicaragua, El Salvador, or Suriname. Even if it is not possible to specify exactly from where the group operates, it is clear that it is one of the first Latin American APT groups, and that the States in the region must be aware of this new trend.

Careto, the First APT State-Sponsored, Spanish-Speaking Group

Careto, The Mask, Mask, and Ugly Face are all synonyms to the same phenomenon: a Spanish-speaking APT group. The group is believed to be the first cyberwar tool from the Spanish-speaking world, and for years it was considered the most sophisticated APT group in operation.

Careto was first detected in 2007, and throughout the years, attacks were registered in 31 countries worldwide. Their top 3 targeted countries are Morocco, Brazil, and the UK. The interesting detail about these attacks is that they targeted Spanish-speakers within those (non-Spanish-speaking) countries.

The name Careto follows one of the two software variants used by the group in the campaigns: Careto is a backdoor package of general-purpose. It collects system information and executes some functions requested by the C&C structure. The second backdoor is called SGH, and it is more complex. It works in kernel mode, which means it executes codes where core operating system components run, with unrestricted access to the hardware - running a rootkit. Its function is also to steal files. The two backdoors, along with other components, create a sophisticated campaign that would deeply harm the infected machines and could steal critical information. The attacks employed malware variants, a rootkit, a bootkit (derivative from the rootkit), and it portrayed versions for Mac OS X, Linux, Android, and iOS.

Careto has a full range of cyber-espionage capabilities that include: keylogging, analysis of WiFi traffic (and interception of network traffic), screen capture, recording of Skype conversations (which in 2007 was a relevant feature), interception of the encryption program PGP to obtain keys, and collection of diverse files - which can include VPN configurations, and RDP (Remote Desktop Protocol) files. The high level of professionalism and operational sophistication, plus the high costs involved in their operations (which have been estimated to be at least $5 billion in 2014) are some pieces of evidence that most likely point to a state-sponsored group.

Their main targets, among others, are government institutions, diplomatic missions, research institutions, energy-sector companies, and activist groups. There is no single topic of interest, but due to the strategic nature of such targets, this behavior may also indicate that Careto is a state-sponsored APT group from a Spanish-speaking country.

Despite the sophisticated software combination of Careto, their infection methods are quite simplistic. They arm spear-phishing emails with links to malicious web pages that infect the machine and then redirect the user to a benign website. These URLs are usually related to political subjects, food recipes, or are related to popular Spanish-speaking newspapers or international ones, such as The Guardian and The Washington Post.

Their C&C server had been reportedly shut down as of January 2014. However, an incident that involved the Brazilian Army in November 2014 poses the question of whether the group is in fact inactive. Careto had managed to successfully infect more than 560 machines in the Brazilian capital, Brasília, all of which related to the oil and gas sector. Those machines were devices from ministries, regulating agencies, and state-owned companies. In a strategic move, the successful attack managed to steal sensitive and critical files, and information from the energy sector.

Poseidon, the First Portuguese-Speaking APT Group

Due to the widespread use of Spanish in LATAM, it is problematic to identify from where hacker groups might be operating. Yet, Brazil is the only Portuguese-speaking country in the area, so Brazilian hackers might be easier to identify than their Latin American counterparts.

Poseidon has been identified as the first Brazilian APT group. Despite the use of hybrid and diverse programming languages, the introduction of Brazilian Portuguese elements in their codes indicates the group’s origin.

Samples of malware related to the Poseidon group have been popping up since the early 2000s, but their first official campaign took place in 2005. In the past 15 years, at least 35 companies have been identified as victims of Poseidon. These companies are based in the US, France, India, Russia, Brazil (top #1 victim), Kazakhstan, and the United Arab Emirates. The targets are government agencies, financial institutions, energy companies, media companies, and telecommunication companies. Due to the diversified nature of these companies, Poseidon is apparently interested in corporate information (related mainly to investments and stock valuations), technology, trade secrets, and occasionally, personal information (PII) of executives.

Poseidon Group is believed to be Brazilian due to a few factors. The first and most important of all is the use, in their coding, of Brazilian Portuguese mannerism, which is easily distinguishable from European Portuguese. The use of the gerund is a distinctive feature of the Brazilian Portuguese, and its use is more common in Brazil than in Portugal. Apart from that, specific word choice distinguishes Brazilian from Portuguese hackers. For example, in Brazil, “mouse” is used in the English form, while in Portugal it is translated to “rato”; “screen” in Brazil is “tela”, while in Portugal, it is “ecrã”.

The second factor that points to the Brazilian origin of Poseidon is the location of the group’s servers: most of them are located in Brazil, Colombia, and Venezuela - but there are also a few located in the US and Greece. Interestingly, though, these servers, which host the group’s C&C, are not traditional. Poseidon resorts to servers located in the sky (within the main operators of wireless networks), in the sea (where Internet providers for ships are located), and on land, as traditionally servers are located.

The group resorts to simple tactics to infect the chosen target, notably, through the use of phishing emails. For example, the Human Resources department of an entity is contacted via email by cybercriminals who pretend to be interested applicants. To the email, they attach fake CVs for review. This .DOC file is embedded with malicious code that infects the victim’s system, and the group is then able to move laterally across the system. It also triggers the creation of a backdoor, which allows the group to establish a permanent remote connection to this system. The malware employed stays in the system for extended periods of time, an attack pattern that resembles cyberespionage. It is essential to highlight that there is no factual evidence that Poseidon is working in cooperation with the Brazilian government.

Sensitive corporate information obtained is offered to the victims using blackmailing tactics. An unnamed company threatens the victim company, and Poseidon Group is introduced as a security firm. If hired, Poseidon keeps monitoring data, and the vulnerability cycle continues. A second solution employed is, if the company is unwilling to negotiate with the hackers, the obtained information is offered to competing companies for market analysis.

Packrat, Latin American APT group

Packrat, another APT group, active from at least 2008 to 2015, has not been confirmed to be state-sponsored. The group was involved in cyber-espionage activities, as well as with information theft from high profile politicians, journalists, and activists. Packrat targeted victims in Brazil, Venezuela, Ecuador, and Argentina - which provides pieces of evidence that the group is involved with, and/or financed by some South American politically interested group.

Packrat did not use any sort of new technological solution to target its victims. Instead, the group resorted to famous RAT Trojan variants - such as CyberGate, XtremeRAT, AlienSpy, and Adzok - to infect its victim’s machines and get their information. In fact, more than 30 samples of malware were detected as used by the group. Yet, the group’s strength was based on its professional efforts to create coherent and robust fake information regarding non-existent organizations that would make the phishing emails look legitimate, and it could easily spread the malware variants employed.

The first country targeted by Packrat was Brazil, mainly from 2008 to 2013, and the identity of the victims is still unknown. However, out of all of the Latin American countries, Ecuador was the most frequently targeted. From 2015 onward, it continues to be the target focus of the group. Packrat not only resorted to malware infection, but also phishing email and SMS campaigns to target Ecuadorian government agents, government opponents, high-profile journalists, and parliamentarians.

After Brazil, the next victim was Argentina in 2014-2015. AlienSpy was used to infect Android mobile phones of different Argentinian controversial political figures. As with Brazil, the activities of Packrat in Argentina were mainly circumscribed to malware infection and information gathering. Malware infection could take place due to political bait content, which incentivized the victims to download a .ZIP or .DOC infected file. Yet, in Ecuador and Venezuela, the group’s activities went beyond those tactics.

In Venezuela and, most importantly, Ecuador, Packrat focused its efforts on the creation of fake political news websites and false opposition groups. The disinformation campaigns employed by the group were not necessarily for the sole purpose of malware infection. Instead, many web pages were designed and maintained for additional purposes yet to be clarified. Some hypotheses suggest that these pages were tools to identify, track, and manipulate target groups. It can also be that these pages aimed to spread misinformation as a political goal - and here it is possible to speculate whether Packrat was sponsored by one or multiple states.

Extra-Regional APT groups in LATAM

The emergence of LATAM as a desirable target, not only for Latin American-based threat groups but also for powerful state-sponsored from other regions, has resulted in a marked increase in malicious cyber activity. Unsurprisingly, suspected major players that have turned their attention toward LATAM in recent years originate from North Korea, Russia, and China. An analysis of four case studies will be used as a means of identifying cultural indicators of attribution partnered with the identification of possible reasons highlighting motivations for targeting LATAM entities. Common targets of cybercrime are Brazil, Mexico, and Chile.

Case Studies

North Korea: Lazarus Group/Bluenoroff

When thinking about state-sponsored threat groups, North Korea is oftentimes one of the first countries that come to mind. Known for their utilization of covert operations, North Korean threat actor groups frequently target entities affiliated with the financial sector; Lazarus Group is no exception. To successfully gain entry into their victim’s systems, threat actors often rely on spear-phishing campaigns. Once inside of a network, the threat groups utilize a host of tactics such as deploying strains of malware and tools used for the creation of botnets, data collection, and installation of backdoors.

Lazarus Group & Bluenoroff: Latin American Financial Institutions

Lazarus Group, the prolific and far-reaching APT group attributed to North Korea, has targeted LATAM banking institutions in multiple campaigns over the years. Tactics employed by Lazarus Group are distinctively offensive in nature - spear-phishing email campaigns, for example, that include compromised attachments within the emails. Spoofing web pages is also a common tactic attributed to Lazarus Group, which suggests that the group is highly organized and invests an incredible amount of energy in researching their potential targets.

In 2019, the Chilean interbank network Redbanc felt the force of a cyberattack most likely attributed to Lazarus Group after a malware toolkit identified as PowerRatankba was discovered on their systems. Attribution was solidified when known proprietary tools belonging to Lazarus Group within the toolkit were identified. The deployment of PowerRatankba occurred when an employee 0f the Chilean IT organization, Redbanc, accessed a malware-infested URL masquerading as a legitimate job posting on a social media site. While this attack pattern is rudimentary in nature, its success speaks to the lack of formalized cybersecurity practices in LATAM countries.

Lazarus Group and an off-shoot known as Bluenoroff, carried out a 2018 attack against LATAM financial institutions in which backdoors, identified by Trend Micro as BKDR_BINLODR.ZNFJ-A, were unknowingly installed onto the networks. Reportedly, the attack bore striking similarities to a 2017 attack on Asian financial institutions. This suggests that Asia served as the training ground for the attacks that ultimately branched out to LATAM.

2017, as previously mentioned, was a busy year for the North Korean group. What started out as a ransomware attack targeting financial institutions in Pyongyang, quickly snowballed into a global campaign. Most commonly attributed to Lazarus Group, the infamous ransomware, WannaCry, spread prolifically after its development. In Latin America, Mexico was one of the countries hit hardest by the ransomware, with special attention paid to its financial institutions.

In 2016, malicious activity targeting Latin American casinos and other smaller-scale financial institutions attributed to Bluenoroff was discovered after their larger-scale campaigns were interrupted in South East Asia. Targeting smaller entities in countries like Mexico, Peru, and Uruguay suggests that the threat group was exploiting the fact that those Latin American countries were, and continue to be, under-developed, impoverished, and ill-equipped to combat sophisticated cyberattacks. This is to say that the group Bluenoroff was motivated purely by monetary gain rather than for political, religious, or ideological reasons.

Russia: TA505, APT28, & REvil

Russia has proved itself a formidable enemy in the cyber realm. Employing the use of offensive techniques, whether, through the deployment of malware strains as a means of exfiltrating and recording sensitive data, cyber espionage to investigate their victim, or engaging in Ransomware-as-a-Service (RaaS) operations, suspected Russian threat groups have been expanding their range in the threat landscape in recent years. Frequently using other countries as their testing ground, Russian-based threat actors have a strong desire to hone their skills to carry out both state-sponsored and independent threat activity. The notable hack that the Ukrainian power grid suffered back in 2015 at the hands of a Russian-attributed threat group, “Sandworm”, served as a blueprint for what was to come: cyberespionage, sabotage against critical infrastructure, and increasingly elaborate internationally-focused cyberattacks.

TA505: Chilean Financial Institutions

Active since 2014, TA505 has frequently employed the usage of phishing email campaigns that contain such identified banking Trojans as Dridex and Shifu, with accompanying botnets like Neutrino. Unsurprisingly, ransomware is also used by the threat group to further exploit their victims.

In 2019, Chilean financial institutions were hit by a malware family identified as AMADAY. Deploying this specific variety of malware for the purposes of obtaining sensitive data in the form of client lists and correspondence, financial data, and other mission-critical information belonging to financial institutions is an identifiable attack pattern attributed to TA505. Believing that the emails were sent from trusted sources, employees within the financial organizations unknowingly downloaded the malware and accompanying tools onto their networks. A high degree of research went into mirroring linguistic patterns that would appear in business correspondence of such organizations is one way in which TA505 successfully fooled its victims. The care and effort that TA505 took in carrying out their phishing campaigns demonstrate an astonishing level of coordination and methodology.

As a group, TA505 further exemplifies their sophistication as the software they employed to execute their attacks was from a legitimate source. By doing so, tools bolstering the targeted entity’s threat detection systems were rendered ineffective as they recognized the software as coming from a valid source.

Financial institutions originating in Chile have been targeted by threat groups of varying nationalities in recent history, namely Russia and North Korea. As Chile is notably a high-income economy with one of the fastest-growing economies in Latin America, threat actors are cognizant of the benefits of targeting such entities within the country. Often with rapidly developing nations, the infrastructure cannot keep up with the changes. Gaps in knowledge of security-related issues, outdated networks, and even lack of government-mandated regulations all add to the growing list of vulnerabilities that can be exploited by threat actors given the opportunity. TA505 has certainly demonstrated that they are keeping a finger on the pulse of infrastructures operating on the global stage.

APT28 (Fancy Bear): South American Government Agency

APT28, commonly referred to as Fancy Bear, is one of the most infamous Russian threat groups in recent memory. Active since 2007, they notably targeted the United States presidential election in 2016. APT28 has since expanded their scope of interest to targets outside of the United States. Government entities affiliated with Latin America fell victim to the group’s nefarious activities in 2018. Seeking to obtain critical intelligence, APT28 employed the usage of malware as a means of covertly carrying out cyberespionage activities. Sofacy, the malware strain that is most frequently utilized by the group, contains two components: Trojan.Sofacy and Backdoor.SofacyX. The primary component, Trojan.Sofacy (aka Seduploader) covertly gathers information and carries the capability of downloading additional malware as needed. Backdoor.SofacyX (aka X-Agent), is a secondary malware strain that primarily steals information. As the years go by, APT28 continues to expand their repertoire of tools and attack techniques, which alludes to their high level of skill.

APT28 has known ties to the GRU, which suggests that it is a state-sponsored threat group, rather than a state-motivated crime syndicate. While the affected governmental entities were only identified by their region, South America, the attack was attributed to APT28 due to the discovery of proprietary toolsets. At first glance, this may seem like a careless oversight. However, as it is often difficult to assign attribution to threat groups, it is more likely that the group wanted to make themselves known. This assertion can be made especially given their history with conducting covert campaigns stretching over extended periods of time. The observed behavior of APT28 can be categorized as methodical, careful, and patient.

REvil: Chilean & Mexican Financial Institutions

REvil, also known as Sodinokibi, is a prolific ransomware gang that first appeared in 2019. Attributed to threat actors of Russian origin, the gang uses Ransomware-as-a-Service (RaaS) operations to carry out their attacks. The malware is introduced into the system through successful phishing email campaigns, but operators have also engaged in brute-forcing RDP credentials to gain access into the victim network. Credential harvesting techniques using tools like Mimikatz to perform lateral movement/privilege escalation within the victim network and network reconnaissance tactics are also frequently employed by REvil operators to further the impact of the infection. Additionally, the group pioneered what is known as double extortion, the threat of selling encrypted data on the DarkWeb, as a way of monetizing the illicitly-obtained sensitive information through multiple avenues. Recently, Latin America has been targeted by REvil operators, most notably Chile and Mexico.

In September 2020, BancoEstado, one of Chile’s three largest banks, fell victim to a ransomware attack. After the initial attack, there was no official confirmation that REvil was responsible. However, in an interview with an REvil representative “UNKN”, it was confirmed that REvil was responsible. In the aftermath of the attack, the Chilean bank was forced to shut down for several days after it was discovered that a significant number of internal servers and employee workstations were impacted.

Chile was not the only Latin American country affected by REvil. In August 2020, REvil targeted CIBanco, a Mexican bank. The bank confirmed that an attack occurred, but solidified that no sensitive information was accessed by the group. Upon investigation, it was discovered that the files leaked by REvil operators did contain sensitive information, but CIBanco representatives stated that there was no indication of the records’ authenticity or that the information belonged to affiliates of the bank. The attack, therefore, was considered unsuccessful.

China: APT15 (Ke3chang)

China has long since been a country that emphasizes gaining a competitive edge over its perceived opponents. Chinese-based threat actors often utilize offensive tactics to gain access to victim systems. Frequently employing the use of spear-phishing and cyberespionage, the main goal is to carry out data theft campaigns to gather critical information belonging to a variety of industry verticals. APT15 (aka Ke3chang) has turned to Latin American infrastructure as a rich source of industry-specific intellectual property.

APT15/Ke3chang: Central & South American Government Sector

Believed to have been active since 2010, the Chinese threat group APT15 (aka Ke3chang) is an especially interesting case because they continue to reuse and recycle their own strains of malware. The most recent strain is known as Ketrum. A variant of previously identified strains known as Okrum and Ketrican, Ketrum is a remote access trojan (RAT) that allows the threat actor to gain access to the victim’s system to run commands manually for further exploitation.

In July of 2019, APT15 targeted diplomatic missions belonging to the countries of Brazil, Chile, and Guatemala. Okrum, the malware utilized in these attacks, was used to establish backdoors into the victim systems as a way to establish a remote access connection. The malware payload, in the form of an encrypted malicious DLL, was distributed through the system using a seemingly benign .PNG image file. It is interesting to note that while the malware demonstrated a level of sophistication due to its usage of steganography to evade defensive measures, it was only able to carry out basic functions such as executing shell commands and uploading files.

However, the internationally-focused methodology and adaptability of APT15 are what make them truly dangerous. Okrum has been used not only in Latin American countries but also to target European entities, as well. This suggests that as a threat group, they are focused on maximizing their success. The threat group alters their malware to masquerade as seemingly legitimate domain names from the target country while navigating through network traffic. When targeting Latin American entities, for example, the domain name misiones.soportesisco[.]com was used.

Country Analysis

One of the main purposes of state-sponsored threat activity is to carry out data theft. Whether the chosen target was selected due to their competing standing in the global economy or their perceived weakness, an interesting observation can be made about the threat groups originating from the three non-LATAM countries exemplified. The chosen targets of the countries studied largely fall into three categories: the financial sector, political bodies, and, to a lesser extent, the energy sector.

While North Korean and Russian threat groups tend to focus on the financial sector, Chinese threat groups prefer targets in the government, energy, and even transportation sectors. Conversely, the attention that North Korean threat groups have paid to the Latin American financial sector suggests that they are closely monitoring the rapid development of Latin American economies, and are acutely aware of what vulnerabilities exist within their infrastructure due to this development. North Korea’s motivation behind targeting financial institutions is obvious when putting it into context. Crippling government sanctions affecting the economy spur an (overly) reactive and financially-influenced response from North Korean threat actors.

The overall picture that can be drawn from the five in-region case studies under analysis in this report displays a few interesting similarities regarding the groups’ actions. The first observation is the prominence of Brazil, Colombia, Venezuela, and Ecuador as recurrent targets of the APT groups. Secondly, a distinctive pattern emerges illustrating the most popular sectors targeted by the APT groups. Finally, the methodology of infection demonstrates strong similarities across APT groups.

The interests of intra-regional APT groups, as the case studies have demonstrated, are deeply linked to either the political or the energy sector. Venezuela has the biggest oil reserve in the world, which, combined with ideological moves that fostered international animosity towards the country, turns it into a vulnerable player in the global oil market; oil-related data theft might provide foreign intelligence with advantageous strategic information concerning price fluctuations and price destabilizing political turmoils. Colombia is a close US ally and defender of the latter’s interests in the region, potentially raising intra-regional antagonisms that may foment APT groups’ actions to obtain political and military information. Brazil is the wealthiest country in LATAM, is a larger producer of oil, has one of the greatest reserves of water and biodiversity in the world, and is one of the major political players in the region - thus data theft, both regarding corporate information and political data, provides a relevant geostrategic advantage to APT groups that obtain it. Last, but not least, Ecuador’s socio-economic profile follows a similar pattern to its Southern American peers; yet, its northern border region poses a complex challenge to the fragile country due to the presence of insurgent groups, narco-traffic, and other illegal activities under the monitoring presence of Colombian and North-American authorities: military and political monitoring is a valuable asset to APT groups, and may provide information about future Ecuadorian, Colombian, and North-American moves in the region.

As illustrated above, the interlinkage between socio-economic factors and geostrategic ones produces rather similar interest profiles to prominent Latin American countries in what regards potentially state-sponsored cybercrime.

Extra- & Intra-regional Groups

The national interests that ground the groups’ actions are distinct depending on their origins. While presumably Latin American APT groups focus their attacks on governmental agencies and institutions from the energy sector, extra-regional groups tend to aim at financial institutions and general data theft.

Intra-regional groups are likely to be working from a bottom-up approach of internal competition regarding regional leadership. Being that the energy sector is one of the most prominent sectors in Latin American economies, acquiring competitive advantages on the field might represent strengthened international projection and an internal increase of wealth. The same logic might be applied on a larger scale to what can be regarded as the espionage of neighboring countries. Extra-regional APT groups, contrastingly, work from a top-down approach. Targeting the financial sector and operating with data theft objectives might generate a ripple effect within the global economic sector at large, which may even impact the national development of the victim countries.

Targeted Sectors

As noted in the case studies, these APT groups were focusing mainly on governmental agencies and actors - such as diplomats, high profile politicians, military institutions - and energy-sector companies (state-owned or not). This sort of targeting denotes a politicized character regarding the actors behind APT groups, since they are openly gathering intelligence information either to sell it to other nation-States or the groups might even be part of the cybernetic force of some government else.

Since the fall of the oil prices in 2014, due to an imbalance between supply and demand, the sector has been witnessing a historical crisis - which acutely impacts fossil fuel supplier economies across the globe. The targeting of this specific sector in LATAM, a relevant oil producer, might be pointing at industrial espionage - related to corporate information (e.g. investments and stock valuations), technology, and trade secrets. This confidential information might benefit further supplier states or private companies elsewhere.


An intriguing similarity between infection methods employed in the region reveals that the APT groups do not necessarily resort to highly sophisticated or innovative tools. In effect, the case studies demonstrate that these groups employ rather well-known malware variants whose infection vectors are usually related to phishing emails with an infected downloadable file. The malware variants employed have several surveillance and espionage capabilities that are relied upon in the long-run. The employment of unremarkable techniques typifies the dangerous vulnerability displayed by strategic agencies in Latin American countries, which represents an alarming issue to their national and regional security.


While APT groups have not previously been attributed to Latin American countries, the presence of organized cybercrime groups like Machete, Blind Eagle, Careto, Poseidon, and Packrat suggest a shift in prioritized threat activity and a growing skillset. The identified patterned behavior regarding the selection of their next victims may assist in predicting future attacks and/or limiting the impact of successfully executed cyberattacks. However, given the shift in behavioral patterns of threat actors of Latin American origin, it is possible that Latin American cybercrime groups may begin to mimic the behaviors of well-established APT groups attributed to Russia, China, and North Korea. Regardless of their origin, APT groups will continue to shape the Latin American threat landscape and should determine the responsiveness of the region’s cybersecurity structure.

Advanced Intelligence is an elite threat prevention firm. We provide our customers with tailored support and access to the proprietary industry-leading “Andariel” Platform to achieve unmatched visibility into botnet breaches, underground and dark web economy, and mitigate any existing or emerging threats.

Beatriz Pimenta Klein was leading the Latin America cybercrime research project at AdvIntel through the year 2020. She graduated from the Federal University of Santa Catarina, Brazil, with a Bachelor's Degree in International Relations. Beatriz is currently a Master's student in International Security Studies at the University of Trento/Scuola Superiore Sant'Anna, Italy. This series presents the findings for Ms. Pimenta Klein's findings developed through the year 2020, during the author's time in AdvIntel. The author declares that there is no conflict of interest with her current work position.

Claire McKenzie Robertson is the Customer Success Manager at Advanced Intelligence, LLC. Her time at AdvIntel began as a Threat Analyst where she produced exclusive reporting on specific breach incidents like botnet infections and RDP compromises. Additionally, she engaged in investigations into threat activity presented on top-tier DarkWeb forums. She soon progressed to Intelligence Team Lead where she coordinated the intelligence reporting and weekly duties of the Security and Development Team. Claire holds an MS in Information Science from the State University of New York, Albany, and a BA in Language Studies with a minor in Education from the University of California at Santa Cruz.

Know Your Adversary & Disrupt Cybercrime Threats


© 2020 Advanced Intelligence, LLC.
New York City, NY. All rights reserved.

For media inquiries, please contact us at

Reach out and we will set up a platform demo right away
  • Белый LinkedIn Иконка
  • Белый Twitter Иконка