#AimedAgainstMexico | Explore Tumblr Posts and Blogs

govindhtech · 11 days

Text

Operations Of Cyber Espionage Aimed Against Mexico

Cyber Espionage news

With the twelfth-biggest economy globally, Mexico attracts the attention of cyber espionage actors from several countries, whose targeting strategies reflect broader goals and priority areas observed elsewhere. Cyber espionage groups from over ten nations have been targeting Mexican users since 2020; however, groups from the People’s Republic of China (PRC), North Korea, and Russia account for over seventy-seven percent of government-sponsored phishing activity.

The examples provided illustrate both historical and contemporary instances of cyber espionage entities targeting Mexican consumers and organizations. It should be mentioned that these campaigns only discuss targeting; they don’t provide instances of successful exploitation or compromise.

- Advertisement -

China Cyber Espionage

Cyber espionage by the PRC Aims for Mexico

Seven cyber espionage outfits with ties to the PRC have been spotted targeting users in Mexico since 2020; these entities account for one-third of the government-backed phishing activity in the nation.

The extent of PRC cyber espionage is comparable to that of other areas, such those included in China’s Belt and Road Initiative, where Chinese government funding has been concentrated. Apart from their actions directed on Gmail users, groups supported by the PRC have also targeted journalistic organizations, higher education establishments, and government entities in Mexico.

North Korea Cyber Espionage

Groups Supported by the North Korean Government Aim for Mexico

Since 2020, about 18% of government-sponsored phishing attacks against Mexico have been carried out by cybercriminals from North Korea. Businesses that deal with cryptocurrencies and financial technology have received special attention, much as their targeting interests in other locations.

The threat posed by North Korean individuals working covertly in organizations to perform various IT functions is one of the new trends Google cloud is seeing around the world from North Korea. Given the historical activities of North Korean threat actors in Mexico and the difficulties related to the widespread issue of North Korean actors seeking work abroad, stress the possibility that this threat will pose a concern to Mexican firms in the future.

- Advertisement -

Russia Cyber Espionage

Mexico Is the Target of Russian Cyber Espionage Activity

Since the beginning of Russia’s war in Ukraine, Russian cyber espionage groups have been targeting users in Mexico on a regular basis. This is likely due to Russia’s efforts to concentrate resources on targets in Ukraine and the North Atlantic Treaty Organization (NATO) in the context of the Russia-Ukraine war. Nevertheless, Russian activity targeting Mexico has significantly decreased. Out of the four Russia-backed groups that have been seen attacking Mexico, APT28 is responsible for more than 95% of the associated phishing activity.

About one-fifth of government-sponsored phishing attacks targeting Mexico since 2020 have been traced back to Russian cyber criminals. But in 2023 and 2024, less than 1% of government-sponsored phishing attacks directed towards Mexico are coming from Russian cyber actors.

Providers of Commercial Surveillance

Spyware is commonly employed to observe and gather information from individuals who pose a risk, such as opposition-party leaders, journalists, human rights advocates, and dissidents. The increased demand for spyware technology due to these capabilities has created a profitable industry that sells the capacity to exploit vulnerabilities in consumer devices to governments and unscrupulous parties. Google provides a number of features to help shield people who pose a high risk from internet dangers.

Many incidents of spyware being used to target various segments of Mexican civil society, such as journalists, activists, government officials, and their families in Mexico, have been documented by open sources over the past few years. TAG has previously drawn attention to the detrimental effects of commercial spyware tools, such as the spread of sophisticated Cyber Espionage threat capabilities to new sponsors and operators, the rise in the discovery and exploitation of zero-day vulnerabilities, and harm to the tools’ targets.

Even though the use of spyware usually only has a limited influence on a few human targets at a time, its broader effects are felt globally as a result of the growing dangers to free expression, the free press, and the integrity of democratic processes all around the world. TAG is still finding evidence of multiple commercial surveillance companies doing business in Mexico. TAG saw malware being deployed in Mexico with lures that have a Mexican news theme as recently as April 2024.

Perspectives on Cybercrime Aimed at Users and Businesses in Mexico

Mexico is frequently faced with a moderately significant threat from cybercrime. Notably, Google cloud have noticed a range of activities, such as threat actors selling compromised credentials and/or access, targeting banking credentials, cryptomining, and ransomware and extortion. TAG is still looking for and stopping a variety of financially driven organizations and users in Mexico.

Among these, the first four most often observed groups over the last year included three that were first access brokers for extortion groups. Threat actors have been observed by Mandiant to use a range of initial access vectors, such as password spraying, phishing, malware, and infected USB devices. Threat actors offering compromised access and/or credentials for sale, cryptomining, ransomware, and extortion operations were among the threat activities that this initial access later facilitated.

Mexico is subject to threat activities from actors predominantly operating in Latin America as well as global operations, similar to other countries in the region. Using banking trojans like METAMORFO dubbed “Horabot,” BBtok, and JanelaRAT, as well as other methods, a considerable number of campaigns that have been reported concentrate on obtaining login credentials for banking or other financial accounts. It seems that a large number of threat actors operating in the Latin American underground concentrate on easier activities like credit card theft and fraud, where they can make quick and easy earnings.

Mexico’s Effects of Extortion

Organizations in all countries and industries, including Mexico, are still being impacted by extortion operations, which result in large financial losses and disruption of business. These operations include ransomware, multidimensional ransomware, and extortion. Please refer to blog post, Ransomware Protection and Containment Strategies: Practical Guidance for Hardening and Protecting Infrastructure, Identities, and Endpoints, as well as the related white paper, for comprehensive instructions on defensive tactics against ransomware.

Mandiant monitors a number of data leak sites (DLSs) that are devoted to disclosing victim data after ransomware and/or extortion attacks where the targets decline to comply with a ransom demand. From January 2023 to July 2024, counts of DLS listings showed that, although the global distribution of extortion activity as indicated by DLS listings continues to be heavily skewed towards the U.S., Canada, and Western Europe, Mexico was the nation in Latin America and the Caribbean most affected by ransomware and extortion operations, with Brazil coming in second.

In Mexico, the industries most commonly affected include manufacturing, technology, financial services, and government. LockBit, ALPHV, and 8BASE are among the DLSs that list Mexican organizations the most frequently.

Disseminating malware by pretending to be official government services

Tax and finance-themed lures are often used in malware distribution operations aimed at Mexican users, with the goal of tricking receivers into opening harmful links or files. Mandiant saw UNC4984 activity spreading the SIMPLELOADER downloader or malicious browser extensions during 2023 and early 2024.

The group used a variety of distribution methods, including as email lures, to spread the malware. The malicious websites used in these operations frequently pose as Chilean or Mexican government websites dealing with taxes or finance, and the malicious browser extensions target bank institutions in Mexico specifically.

Another financially driven gang, identified as UNC5176, compromises individuals from a number of nations, including Brazil, Mexico, Chile, and Spain, using emails and malicious advertisement campaigns. Mandiant discovered several malicious email campaigns that were spoofing Mexico’s state-owned power utility, Comisión Federal de Electricidad, in December 2023.

These efforts distributed the URSA backdoor to Latin American enterprises across many industries. Via malicious PDF attachments with an embedded link to a ZIP download, a UNC5176 phishing effort transmitted URSA to enterprises mostly based in Latin America in April 2024. In certain cases, the ZIP archives were stored and obtained from reputable file-hosting platforms like Dropbox, a Azure, S3 buckets, and Github.

In summary

Threat actors will continue to find Mexico to be a desirable target for a variety of reasons. Long-standing risks come from international cyber espionage actors, including cybercriminals from the PRC, North Korea, and Russia. Recognizing this particular interaction of threats and taking a proactive approach to cybersecurity are critical for protecting Mexican businesses and users.