Brazil’s Cybersecurity Landscape: A Fusion of Global and Local Threats

In a new and comprehensive report, Google’s Threat Analysis Group (TAG) and Mandiant’s frontline intelligence team have detailed the unique and intricate cyber threat landscape facing Brazil. This South American giant, increasingly influential on the global stage, is grappling with a complex array of cyber threats that pose significant risks to individuals, organizations, and critical sectors across the nation.

Brazil’s digital infrastructure is under siege from both global and local cyber adversaries. The country’s rising economic and geopolitical stature has made it a prime target for cyber espionage groups from around the world. Prominent among these are state-sponsored actors from the People’s Republic of China (PRC), Russia, and North Korea. At the same time, a thriving domestic cybercriminal market adds another layer of complexity, with local threat actors specializing in account takeovers, carding, fraud, and banking malware.

Image: Google

Since 2020, cyber espionage groups from over a dozen countries have targeted Brazil. However, the majority of government-backed phishing activities—over 85%—originate from PRC, North Korean, and Russian groups. These actors have zeroed in on Brazil’s government, military, energy sector, aerospace, and even cryptocurrency firms.

PRC Cyber Espionage: PRC groups have been particularly active, accounting for more than 40% of phishing activity targeting Brazil. These groups use sophisticated tactics, including phishing, malware distribution, and exploiting known vulnerabilities, to infiltrate Brazilian government and military networks. A notable incident in August 2023 involved a PRC group targeting nearly two hundred users in a Brazilian executive branch organization with phishing emails containing malicious ZIP archives.

North Korean Actors: North Korean cyber actors, responsible for about a third of the phishing activity in Brazil, have focused on government entities, aerospace, technology, and financial services sectors. They have shown a particular interest in Brazilian cryptocurrency firms, employing tactics such as sending trojanized Python apps via social media to lure targets.

Russian Cyber Espionage: While Russian cyber espionage activities have diminished since the onset of the Ukraine war, groups like APT28 (FROZENLAKE) have a long history of targeting Brazil. This reduction in activity is likely due to Russia’s redirected focus on Ukraine and NATO targets.

The domestic cybercriminal landscape in Brazil is robust and sophisticated. Threat actors operate within a localized market, often coordinating through mobile apps and social media platforms like Telegram and WhatsApp, rather than traditional underground forums. These actors engage in various activities, including the sale of payment card data, credentials, phishing schemes, and the development of malware.

Targeting Pix Payment System: Brazil’s Pix payment platform has become a prime target for cybercriminals. Threat actors have distributed malware such as “GoPix” to hijack clipboard functionality for Pix transactions, redirecting funds to accounts controlled by the attackers.

Malware and Ransomware: Brazil also faces significant threats from ransomware and data theft. RANSOMHUB, a Ransomware as a Service (RaaS) operation, lists Brazil as its second most targeted country after the United States. Brazilian organizations, especially in the technology, healthcare, and financial sectors, have been frequent victims.

Credential Phishing: Credential phishing remains a common threat. In 2023, Google disrupted a phishing operation by FLUXROOT, a group known for distributing the Grandoreiro banking malware. The group used cloud services like Azure and Dropbox to spread their malware.

As Brazil’s digital economy continues to grow, it is likely to face even more sophisticated and targeted cyber attacks. The report from Google and Mandiant serves as a wake-up call, emphasizing the need for ongoing collaboration between governments, businesses, and cybersecurity experts to safeguard Brazil’s digital future.