Before the world was deeply plunged into the world of COVID-19, the Mexican government was impacted by a cyber attack. On February 26th, the economy ministry detected an intrusion on some of its servers. Luckily, no sensitive information was compromised. However, some Internet Service Providers (ISPs) had to temporarily isolate their networks and servers. In addition, the processing of some forms was momentarily suspended to protect their legal status.
This was the second high-profile cyber attack in the country in recent months. In November, hackers demanded nearly $5 million (worth 565 in bitcoin) with a 48-hour deadline to the country’s state-owned oil company, PEMEX. The company was forced to shut down its computers nationwide, as well as freeze payment systems.
A ransom note sent to PEMEX showed a darknet website linked to DoppelPaymer, a type of ransomware. According to articles in Tripwire and Bleeping Computer, the message indicated the attackers’ intention to leak the names and data of victims who refused to meet the ransom demand.
Image Source: Bleeping Computer
It is believed the attackers behind the PEMEX and Mexican Ministry of Economy attacks are one and the same.
DoppelPaymer’s handlers indicated to Bleeping Computer that they would begin exfiltrating even more data now that “Dopple Leaks” is live. More data in the hands of cybercriminals means more attacks and more ransom demands.
And don’t think that giving in to hackers and paying the ransom will save you. In GlobalSign’s opinion, even if a company pays ransom, it can still suffer catastrophic damage. Like so many in the security industry, we recommend not relenting to hacker’s demands. Because at the end of the day, they are criminals and simply cannot be trusted.
The Unlikely Link to Mexico’s Tomato Industry
Let’s take a look at this latest attack a little more closely.
One of the groups directly impacted by this particular incident has been Mexico’s tomato farmers. Tomatoes are the country’s 7th largest export. The total value of US tomato imports from Mexico is $2 billion. According to Mexico Business News, the peak of tomato production and exports from Sinaloa, the country’s main producer, occurs in February and March.
It just so happens that Mexico’s Ministry of Economy is responsible for responding to electronic requests sent by tomato producers, so cargo can be exported and the time waiting at the US border is limited.
After the attack, the Ministry was forced to establish a mail system to continue to their foreign trade. The move from electronic back to older, manual systems was surely a blow to tomato growers, who were already having to adapt to new export requirements set by the US market, including a provision that stipulates 92% of Mexico’s tomato production be subject to border inspections by April. So, the attack really made a tough situation even worse. Meanwhile the hackers, wherever they are, could not care less about the damage they have wrought – maybe it was all part of the plan.
Delving into DoppelPaymer
DoppelPaymer is one of the newest variants of BitPaymer. It was spotted last year by CrowdStrike researchers after a series of ransomware campaigns that began in June 2019, including attacks against the city of Edcouch, Texas, as well as the Chilean Ministry of Agriculture. (There does seem to be a clear pattern emerging against agriculture!)
Adam Meyers, vice president of intelligence at CrowdStrike told Dark Reading last July, "Big game hunters favor municipalities, industrial/manufacturing, healthcare, and targets which cannot accept downtime.” He added: “They choose targets in these verticals to increase the likelihood of payment, likely thinking that these victims are not prepared to recover, and the cost of ransom is less than the cost of downtime.”
Perhaps the bad actors behind DoppelPaymer specifically targeted the Mexican government precisely because they knew the impact it could have on tomato growers – not to mention grocery chains and consumers in the United States. Of course, no one can know for sure.
The takeaway here is that companies must remain vigilant, and do whatever they can to avoid an attack like this. Always be cautious of emails instructing you to open an attached Word document, and especially if the message also tells you to use a password to access the file.
For other tips on online and email safety, check out our blog Coronavirus and Cybesecurity: 3 Essential Precautions for Enterprises. You can learn more about our secure email solutions on our website.