Cyber Threats Intensify in Mexico: Insights from Mandiant on Espionage and Extortion
A new report from Mandiant revealed the increasing cyber threats faced by Mexico, with a complex mix of global espionage and local cybercrime targeting both users and enterprises. As the world’s 12th largest economy, Mexico is an attractive target for cyber actors from nations like China, North Korea, and Russia, as well as financially motivated cybercriminals.
Since 2020, cyber espionage groups from over 10 nations have been detected attempting to infiltrate Mexican organizations. Among these, actors linked to the People’s Republic of China (PRC), North Korea, and Russia have been the most active, with China accounting for a third of government-backed phishing activity. Chinese actors are particularly focused on Mexico’s government agencies, education institutions, and news organizations, mirroring similar targeting patterns seen in regions where China has significant investments.
Government-backed phishing activity targeting Mexico, January 2020 – August 2024 | Image: Mandiant
North Korean groups have targeted cryptocurrency firms and financial technology companies, while Russian cyber espionage efforts have decreased significantly since the start of the war in Ukraine, with resources being redirected to other regions.
The report also highlights the use of commercial spyware in Mexico, with journalists, human rights defenders, and political figures among the targets. These tools, often sold to governments or malicious actors, are used to monitor and exploit vulnerabilities in consumer devices. Spyware incidents, while targeting only a few individuals at a time, have far-reaching implications for press freedom and democratic integrity in Mexico.
Mandiant’s report emphasizes the sharp rise in ransomware and extortion operations in Mexico. From January 2023 to July 2024, Mexico ranked second in Latin America, only behind Brazil, in the number of data leak site (DLS) listings following ransomware attacks. Groups like LockBit, ALPHV, and 8BASE have been the most active in Mexico, with industries such as manufacturing, technology, and financial services being the primary targets.
Financial malware distribution campaigns remain a constant threat in Mexico, with attackers using tax- and finance-themed lures to trick victims into downloading malicious software. Groups like UNC4984 have been observed using spoofed Mexican government websites, including the Mexican Tax Administration Service (SAT), to distribute malware aimed at Mexican banks.
Additionally, UNC5176 has deployed URSA (Mispadu) malware through phishing campaigns, masquerading as emails from Mexico’s state-owned utility and using legitimate cloud services to host malicious files. These campaigns have targeted users across Mexico, Brazil, and other Latin American countries.
As Mexico continues to grow as a global economic player, it remains a high-value target for both nation-state espionage and cybercriminals. To safeguard against this evolving threat landscape, Mexican enterprises must adopt proactive cybersecurity measures and remain vigilant against emerging cyber threats. With actors from China, North Korea, and Russia continuing their campaigns, the importance of robust defenses and cyber resilience has never been more critical.
