Cyber Exploration: The Geostrategic Quest of APT Groups in LATAM

Updated: Oct 8

By Beatriz Pimenta Klein & Claire McKenzie Robertson

This Research is the first part of the AdvIntel LATAM Series. To see other blogs within this series please visit:

Part 1: Latin America Threat Landscape: The Paradox of Interconnectivity

Key Takeaways:

  • Latin American countries do not usually resort to APT (Advanced Persistent Threat) groups - state-sponsored actors who carry out cybercriminal activities to obtain strategic advantages. This is not a common practice in the region, but this reality may change in the near future. The growing interconnectivity of the region and the increase of highly skilled hacking groups can create an environment for the development of APT groups, especially in this new era of digital politics in the region.

  • The main hypothesis developed around the above-mentioned geopolitical trend of APT attacks in LATAM is that these criminal groups are interested in proprietary technologies, intellectual property, business processes, and other sorts of sensitive information. This data could be used to benefit other companies and governments, and these advantages might be financial and/or strategic.

  • One of the main purposes of state-sponsored threat activity is to carry out data theft. Whether the chosen target was selected due to their competing standing in the global economy or their perceived weakness, an interesting observation can be made about the threat groups originating from the three non-LATAM countries exemplified. The chosen targets of the countries studied largely fall into three categories: the financial sector, political bodies, and, to a lesser extent, the energy sector.

  • An intriguing similarity between infection methods employed in the region reveals that the APT groups do not necessarily resort to highly sophisticated or innovative tools. In effect, the case studies demonstrate that these groups employ rather well-known malware variants whose infection vectors are usually related to phishing emails with an infected downloadable file. The malware variants employed have several surveillance and espionage capabilities that are relied upon in the long-run. The employment of unremarkable techniques typifies the dangerous vulnerability displayed by strategic agencies in Latin American countries, which represents an alarming issue to their national and regional security.


In 2013, global news networks extensively covered the US government’s campaign of State espionage. The whistleblower, Edward Snowden, a former CIA agent, was responsible for leaking confidential files that revealed a scheme of surveillance conducted by the National Security Agency not only in the North American territory but also abroad - in Europe and in Latin America. Latin American countries such as Brazil, Mexico, Venezuela, Argentina, Colombia, and Ecuador were targets of this operation, and their military and energy affairs were the main points of interest of the surveillance operations.

The Snowden episode was a watershed moment for cybersecurity and cyber defense in Latin America. The Armed Forces, State agencies, and embassies were all put on alert concerning their strategic and sensitive data.

Latin American countries do not usually resort to APT (Advanced Persistent Threat) groups - state-sponsored actors who carry out cybercriminal activities to obtain strategic advantages. This is not a common practice in the region, but this reality may change in the near future. The growing interconnectivity of the region and the increase of highly skilled hacking groups can create an environment for the development of APT groups, especially in this new era of digital politics in the region.

Despite the lack of documentation concerning any Latin American state-sponsored APT groups, the region is not shielded from the activity of this type from threat actors. Even if these groups are not (or no evidence has yet been found) state-sponsored, some of them are born in the region. Some examples of APT groups that have conducted campaigns in and are believed to be from the region are Machete, APT-36 (aka Blind Eagle), Careto, Poseidon, and Packrat. Additional to other group identification challenges, due to the widespread use of Spanish in LATAM, it is problematic to identify exactly where these groups might be operating.

Yet, there are extra-regional groups that may also conduct campaigns against Latin American public and private institutions - such as the allegedly Chinese Ke3chang. Threat group activity that may be attributed to Russia and North Korea have also been recorded affecting LATAM entities. Specific groups commonly attributed to Russia, such as APT28 (a.k.a. Fancy Bear) and North Korea’s Lazarus Group, have recently turned their attention to Latin American entities.

The Latin American cyber threat landscape has observed a crescent trend in financially-motivated cybercrime. However, cyber threats related to strategic interests are incipient events in the region. APT groups do not employ traditional simple cybercriminal tools to obtain quick financial advantages. Instead, they design long campaigns, employing complex and efficient processes to maximize their gains - be it financial, intellectual, or strategic gains.

Geopolitical Trends

Latin America is a rich region in terms of raw materials, energetic sources, mineral resources, and pharmacological potential. These resources are highly determinatives in what regards the strategic and economic importance of LATAM. Combining these factors with the lack of a robust apparatus of regional and national cyber defense, LATAM experiences a dire vulnerability in what regards potential advanced persistent threats. Even the fast-growing digital financial sector is a relevant prospective victim to these sorts of threats.

Indeed, the major incidence of APT attacks in the region regard energy sources: 34% of the attacks targeted the sectors of Chemical Products/Manufacturing/Mining. This percentage is significantly higher than the ones portrayed by the same sectors elsewhere in the world. This is probably due to the divergent comparative relevance of the sector across regions. APT attacks against Latin American local/regional governments correspond to 12% of all occurrences, which is the same percentage as attacks against the financial system. Attacks against Federal governments correspond to 10% of all attacks.

The main hypothesis developed around the above-mentioned geopolitical trend of APT attacks in LATAM is that these criminal groups are interested in proprietary technologies, intellectual property, business processes, and other sorts of sensitive information. This data could be used to benefit other companies and governments, and these advantages might be financial and/or strategic.

Case studies

Five APT groups that are believed to be authentically Latin American were selected to illustrate this analysis: Machete, APT-36 (aka Blind Eagle), Careto, Poseidon, and Packrat.

Machete: Among the First Latin American APT State-Sponsored Groups

Machete (also called Ragua) is a cyber-espionage campaign employed by a group operating under the same name. The group has still not been officially identified, so it is not possible to affirm that it is indeed an APT group, but their actions suggest that it might be the case. The first campaign was identified in 2014, but the group is said to be active at least since 2010. In these years, campaigns have been slightly altered regarding capabilities, but their purpose remains the same.

Machete targets mainly Spanish-speaking countries, and when it targeted other countries (such as Russia), the targets were the embassies of Spanish-speaking countries. The code of the Machete malware is also in the Spanish language, which denotes that it is highly probable that the threat actors behind it come from a Latin American, Spanish-speaking country. The most attacked countries were Venezuela, followed by Ecuador and Colombia. Between March and May 2019, at least 50 infected computers in Venezuela were identified to be contacting the Machete command-and-control servers.

The campaign targets mostly political and military-related victims. Through the use of phishing emails, and, to a lesser extent, infected fake blogs, the campaign targets victims interested in military information (such as the movement of troops, for instance) or in national political topics. These phishing emails usually contain external links to websites where the victim can download the piece of malware. Once infected, Machete has cyberespionage capabilities that include keylogging (recording keystrokes), capturing screenshots, audio, webcam pictures, stealing and encrypting documents from local and removable drives - all over an extended period of time. These capabilities allow not only espionage and surveillance, but potentially extortion, too.

It is known that the group behind Machete is looking for military sensitive information - collecting intelligence data. They are interested in files that detail navigation routes/positioning using military grids.

All of the above-mentioned characteristics, namely the nature of the victims (political/military), the geolocation (Latin American countries), the tools employed (cyberespionage malware), and the operations’ duration indicate that Machete is probably an APT group state-sponsored by a Latin American country.

Blind Eagle, APT Group with Pro-Maduro Hacking Activities

The crisis in Venezuela, ongoing since 2013, has had diverse spin-offs. Their internal situation produced an international reaction to the crisis: mainly through economic sanctions, other countries have interfered in the Venezuelan internal affairs. However, the digital era has also fostered a cyber response to political matters: APTs.

Blind Eagle, also called APT-C-36, is an APT group that has been active since April 2018 and whose target is Colombian official institutions. Due to the time of activities, and the use of the Spanish language in the malware variants employed, it is very likely that the group originates in a Southern American country. However, other sources claim that, due to some specificities, such as the time zone in which the group operates (GMT -5, the Colombian time zone), and their modus operandi, the group is Colombian.

The group has been conducting attack campaigns since late 2018, and their main targets are Colombian official agencies: the Colombian National Institute for the Blind, the Bank of Colombia, Ecopetrol (Colombian Petroleum Co.), and the Banco Agrario (a State financial institution). Yet they have also targeted other sectors, such as the privately-owned IMSA (a Colombian wheel manufacturer).

Through the use of phishing emails, the cybercriminals pose as Colombian institutions, such as the Colombian National Cyber Police and the Office of the Attorney General. These emails contain links to a website where the victims should download a .rar file, that will implant a malware variant - that can be LimeRat, or, more frequently, Imminent Monitor Rat (IM-RAT), both of which are remote access trojan variants. Both of these malware variants were not developed by the cybercriminals behind Blind Eagle, they are both public malware codes. These trojans have surveillance and espionage capabilities, and IM-RAT specifically has the following features: audio/video capturing, live keylogging, disabling of anti-virus and anti-malware software, file/process managing, file decoding, resource hijacking (especially related to cryptocurrency mining), and more.

Using these remote access trojan variants, the group can steal intellectual property to harm Colombia. Pieces of evidence also suggest that the motivation behind the targeted attacks specifically against Colombia has to do with the Colombian opposition to the Venezuelan Maduro regime. Some sources point out that these pro-Maduro hacking activities may indicate that Blind Eagle originated in Venezuela or in a country that supports Nicolas Maduro, such as Bolivia, Nicaragua, El Salvador, or Suriname. Even if it is not possible to specify exactly from where the group operates, it is clear that it is one of the first Latin American APT groups, and that the States in the region must be aware of this new trend.

Careto, the First APT State-Sponsored, Spanish-Speaking Group

Careto, The Mask, Mask, and Ugly Face are all synonyms to the same phenomenon: a Spanish-speaking APT group. The group is believed to be the first cyberwar tool from the Spanish-speaking world, and for years it was considered the most sophisticated APT group in operation.

Careto was first detected in 2007, and throughout the years, attacks were registered in 31 countries worldwide. Their top 3 targeted countries are Morocco, Brazil, and the UK. The interesting detail about these attacks is that they targeted Spanish-speakers within those (non-Spanish-speaking) countries.

The name Careto follows one of the two software variants used by the group in the campaigns: Careto is a backdoor package of general-purpose. It collects system information and executes some functions requested by the C&C structure. The second backdoor is called SGH, and it is more complex. It works in kernel mode, which means it executes codes where core operating system components run, with unrestricted access to the hardware - running a rootkit. Its function is also to steal files. The two backdoors, along with other components, create a sophisticated campaign that would deeply harm the infected machines and could steal critical information. The attacks employed malware variants, a rootkit, a bootkit (derivative from the rootkit), and it portrayed versions for Mac OS X, Linux, Android, and iOS.

Careto has a full range of cyber-espionage capabilities that include: keylogging, analysis of WiFi traffic (and interception of network traffic), screen capture, recording of Skype conversations (which in 2007 was a relevant feature), interception of the encryption program PGP to obtain keys, and collection of diverse files - which can include VPN configurations, and RDP (Remote Desktop Protocol) files. The high level of professionalism and operational sophistication, plus the high costs involved in their operations (which have been estimated to be at least $5 billion in 2014) are some pieces of evidence that most likely point to a state-sponsored group.

Their main targets, among others, are government institutions, diplomatic missions, research institutions, energy-sector companies, and activist groups. There is no single topic of interest, but due to the strategic nature of such targets, this behavior may also indicate that Careto is a state-sponsored APT group from a Spanish-speaking country.

Despite the sophisticated software combination of Careto, their infection methods are quite simplistic. They arm spear-phishing emails with links to malicious web pages that infect the machine and then redirect the user to a benign website. These URLs are usually related to political subjects, food recipes, or are related to popular Spanish-speaking newspapers or international ones, such as The Guardian and The Washington Post.

Their C&C server had been reportedly shut down as of January 2014. However, an incident that involved the Brazilian Army in November 2014 poses the question of whether the group is in fact inactive. Careto had managed to successfully infect more than 560 machines in the Brazilian capital, Brasília, all of which related to the oil and gas sector. Those machines were devices from ministries, regulating agencies, and state-owned companies. In a strategic move, the successful attack managed to steal sensitive and critical files, and information from the energy sector.

Poseidon, the First Portuguese-Speaking APT Group

Due to the widespread use of Spanish in LATAM, it is problematic to identify from where hacker groups might be operating. Yet, Brazil is the only Portuguese-speaking country in the area, so Brazilian hackers might be easier to identify than their Latin American counterparts.

Poseidon has been identified as the first Brazilian APT group. Despite the use of hybrid and diverse programming languages, the introduction of Brazilian Portuguese elements in their codes indicates the group’s origin.

Samples of malware related to the Poseidon group have been popping up since the early 2000s, but their first official campaign took place in 2005. In the past 15 years, at least 35 companies have been identified as victims of Poseidon. These companies are based in the US, France, India, Russia, Brazil (top #1 victim), Kazakhstan, and the United Arab Emirates. The targets are government agencies, financial institutions, energy companies, media companies, and telecommunication companies. Due to the diversified nature of these companies, Poseidon is apparently interested in corporate information (related mainly to investments and stock valuations), technology, trade secrets, and occasionally, personal information (PII) of executives.

Poseidon Group is believed to be Brazilian due to a few factors. The first and most important of all is the use, in their coding, of Brazilian Portuguese mannerism, which is easily distinguishable from European Portuguese. The use of the gerund is a distinctive feature of the Brazilian Portuguese, and its use is more common in Brazil than in Portugal. Apart from that, specific word choice distinguishes Brazilian from Portuguese hackers. For example, in Brazil, “mouse” is used in the English form, while in Portugal it is translated to “rato”; “screen” in Brazil is “tela”, while in Portugal, it is “ecrã”.

The second factor that points to the Brazilian origin of Poseidon is the location of the group’s servers: most of them are located in Brazil, Colombia, and Venezuela - but there are also a few located in the US and Greece. Interestingly, though, these servers, which host the group’s C&C, are not traditional. Poseidon resorts to servers located in the sky (within the main operators of wireless networks), in the sea (where Internet providers for ships are located), and on land, as traditionally servers are located.

The group resorts to simple tactics to infect the chosen target, notably, through the use of phishing emails. For example, the Human Resources department of an entity is contacted via email by cybercriminals who pretend to be interested applicants. To the email, they attach fake CVs for review. This .DOC file is embedded with malicious code that infects the victim’s system, and the group is then able to move laterally across the system. It also triggers the creation of a backdoor, which allows the group to establish a permanent remote connection to this system. The malware employed stays in the system for extended periods of time, an attack pattern that resembles cyberespionage. It is essential to highlight that there is no factual evidence that Poseidon is working in cooperation with the Brazilian government.

Sensitive corporate information obtained is offered to the victims using blackmailing tactics. An unnamed company threatens the victim company, and Poseidon Group is introduced as a security firm. If hired, Poseidon keeps monitoring data, and the vulnerability cycle continues. A second solution employed is, if the company is unwilling to negotiate with the hackers, the obtained information is offered to competing companies for market analysis.

Packrat, Latin American APT group

Packrat, another APT group, active from at least 2008 to 2015, has not been confirmed to be state-sponsored. The group was involved in cyber-espionage activities, as well as with information theft from high profile politicians, journalists, and activists. Packrat targeted victims in Brazil, Venezuela, Ecuador, and Argentina - which provides pieces of evidence that the group is involved with, and/or financed by some South American politically interested group.

Packrat did not use any sort of new technological solution to target its victims. Instead, the group resorted to famous RAT Trojan variants - such as CyberGate, XtremeRAT, AlienSpy, and Adzok - to infect its victim’s machines and get their information. In fact, more than 30 samples of malware were detected as used by the group. Yet, the group’s strength was based on its professional efforts to create coherent and robust fake information regarding non-existent organizations that would make the phishing emails look legitimate, and it could easily spread the malware variants employed.

The first country targeted by Packrat was Brazil, mainly from 2008 to 2013, and the identity of the victims is still unknown. However, out of all of the Latin American countries, Ecuador was the most frequently targeted. From 2015 onward, it continues to be the target focus of the group. Packrat not only resorted to malware infection, but also phishing email and SMS campaigns to target Ecuadorian government agents, government opponents, high-profile journalists, and parliamentarians.

After Brazil, the next victim was Argentina in 2014-2015. AlienSpy was used to infect Android mobile phones of different Argentinian controversial political figures. As with Brazil, the activities of Packrat in Argentina were mainly circumscribed to malware infection and information gathering. Malware infection could take place due to political bait content, which incentivized the victims to download a .ZIP or .DOC infected file. Yet, in Ecuador and Venezuela, the group’s activities went beyond those tactics.

In Venezuela and, most importantly, Ecuador, Packrat focused its efforts on the creation of fake political news websites and false opposition groups. The disinformation campaigns employed by the group were not necessarily for the sole purpose of malware infection. Instead, many web pages were designed and maintained for additional purposes yet to be clarified. Some hypotheses suggest that these pages were tools to identify, track, and manipulate target groups. It can also be that these pages aimed to spread misinformation as a political goal - and here it is possible to speculate whether Packrat was sponsored by one or multiple states.