In March, there were massive, days-long power outages in Venezuela, causing several fatalities and pushing the South American country into turmoil that has continued to the present day.
Around the same time as the first outages, a cyber-espionage group — dubbed “Machete” by ESET — began siphoning off gigabytes of confidential documents from Venezuela’s military in a successful campaign that is ongoing, according to new research from ESET.
While there are some compromised computers in Ecuador, Colombia, and Nicaragua, the primary focus is Venezuela, as over half of the compromised computers in the campaign belong to the Venezuelan military, according to the Slovakian cybersecurity company.
ESET researchers write that until May of this year, more than 50 computers were actively communicating with the attackers’ command and control server and bleeding gigabytes-worth of data each week.
The toolset used by Machete is capable of stealing documents commonly used in the office suite, but also those created using geographic information systems (GIS) software, ESET researchers write.
The primary interest of the attackers was Venezuelan military grids, positioning, and navigation routes.
Although the actors’ identities remain unknown, Machete has long been used in campaigns against Latin American countries. Machete has been active since 2010 with targets all around the world, including Peru, Argentina, Bolivia, Mexico, Cuba, England, Germany, Spain, Ukraine, Canada, the U.S., and Russia, according to previous research from Kaspersky and Cylance.
The group’s particular experience in targeting Latin American countries seems to be playing to their advantage here, ESET researchers note. Their background running attacks in Latin American countries “has allowed them to collect intelligence and refine their tactics over the years,” the researchers write. “They know their targets, how to blend into regular communications, and which documents are of the most value to steal.”
Of particular note, the people responsible for these attacks are believed to have physical access to compromised computers in at least one country in the campaign, given that some of the code the attackers use is code used to exfiltrate data to removable drives, according to ESET. They are also believed to be Spanish-speaking.
The group works at being inconspicuous, according to ESET. The attacks start with phishing emails that contain an attachment or link containing a compressed self-extracting archive that runs malware once its opened. In order to disguise the malware, some of the attachments are legitimate decoy documents stolen from other victims. They also use military jargon and etiquette specific to Venezuela’s military so nothing appears amiss.
ESET researchers warn the group’s ongoing attack is malleable and quick to change.
“The Machete group is operating more strongly than ever, even after researchers have published technical descriptions and indicators of compromise for this malware,” researchers write. “ESET has been tracking this threat for months and has observed several changes, sometimes within weeks.”