Latin America: Emerging Market & Target of Cybersecurity Risks
Latin America represents probably the largest conglomeration of countries that are jointly posing impressive economic growth, year after year. With Brazil, Mexico, Argentina, and Colombia leading by example, Venezuela, Chile, and Peru have shown significant promise. In the backdrop of an unenviable world economy, Latin America has quietly but surely performed. While the world is standing up and taking notice though, so are hackers.
Latin America, saw an increase in the number of Distributed Denial of Services (DDoS) attacks under one gigabyte per second (Gbps), which in 2011 represented 96.16% of the total, a 1.47% increase from the attacks registered in 20101. In mid-2011, a group called “Anonymous” launched what they called the “Tormenta del sur” (Southern Storm) attack on the Chilean Government’s website renderin it useless for about an hour2.
Money, Money, Money…Must Be Funny
Hackers, like thieves, are motivated by money. In fact, for hackers there is an additional consideration – return on investment (ROI). Hackers and, more dangerously, commercial hacking groups look to maximize their ROI – to get the maximum possible rewards from their hacking efforts – and what better place to get precisely that than a Latin American market with a fresh influx of money and a burgeoning consumer-oriented economy.
There are also the existing criminal organizations that “outsource”. For instance, the Mexican drug cartel, La Familia, and Brazil’s criminal organization, Primeiro Comando da Capital (PCC), have acquired black market hackers who can assist with committing crimes that bring in cash3.
Did You Just Call My Country…?!
It doesn’t stop at money alone. Nationalism and patriotism sometimes spills out of control as well. For instance, back in late-2005, hackers from Chile and Peru were entangled in a cyber war in which no government website was spared – all thanks to a diplomatic dispute over fishing waters in the Pacific Ocean4. And then, in mid-2011, a hacker group, again called “Anonymous”, began an operation called “Free Andes” against both the Chilean and Peruvian governments for allegedly violating the freedom of expression and privacy of Internet users5.
Motivated by money, emotion, or propaganda, there are plenty of other examples as well – all of which point to the fact that the threats are real and clearly out there.
Doesn’t Concern Me
One might wonder where they or their organization fit into all this – they are not even the main players. The fact is – they could well be.
Consider a situation where a hacker or hacker group wants to carry out a DDoS attack against a target – let’s say a Government server. Given that a large number of computers will be required to carry out the attack, what if the hacker decides to first take control over a large farm of servers in your organization and then use this new army to attack the original target? Now your organization, once the innocent bystander, is suddenly the main protagonist. You will start with explaining to the Government how you were hacked, after which you could be held responsible for not protecting your organization appropriately. After all, if the weapon used for a crime is yours – the responsibility and due diligence to keep it in a safe place also needs to be yours. Your next, and real, problem will be the fact that your organization was just hacked and the information of your customers, employees, subcontractors/vendors, and just about any information considered sensitive to the organization was most likely compromised.
In The Eye Of The Storm
Consider another situation where your organization is the direct target – an organized cyber crime group decides to target your organization because you’ve had prolific growth in business over the past few years. They have various options. One option would be to target your information directly and test your organization’s cyber-security defenses and resolve. Another, and possibly better, option would be to unleash and keep adding bots to target your organization with a DDoS attack and then send you an extortion e-mail asking for money in return for stopping the attacks. It is critical to note that any action you take against this sort of attack can lead the attacker(s) to simply increase the number of bots targeting your organization. That, for them, is far cheaper than what you will likely expend in either hiring a company that will help you protect against DDoS attacks (they will charge you based on the volume of bots targeting you, remember). Doing the math, you might even find that paying up the extortion money turns out to be a far cheaper option.Organizations in the U.S. and other international locations that have, or are themselves, partnerships, branches, and/or affiliations with/in Latin America make prime targets as well. Assuming that the Latin American counterpart is secured well and has done all the due diligence, these offshore branches then become plum entry-points into the trusted internal network.
While we’re on the topic of commercial cyber crime groups, we’d like to also point you to our newsletter on Commercial Hacking6 from 2010, in case you haven’t already had a chance to read it.
With increasing requests and projects stemming out of the Latin American market resulting in an evolution of our own understanding of the cyber-security landscape in the Latin American market, and our own soft corner for the Latin American market given our roots and bilingual consulting team, we’ve made our first attempt at highlighting the ominous and real threat that the emerging Latin American market faces in cyberspace. In the future, we will again touch upon this key market that represents a new frontier for cyber-security. Until then, stay tuned!
Turn your employees into a human firewall with our innovative Security Awareness Training.
Our e-learning modules take the boring out of security training.
Get a curated briefing of the week's biggest cyber news every Friday.
Intelligence and Insights