Insights on Cyber Threats Targeting Users and Enterprises in Mexico

Insights on Cyber Threats Targeting Users and Enterprises in Mexico

Written by: Aurora Blum, Kelli Vanderlee


Like many countries across the globe, Mexico faces a cyber threat landscape made up of a complex interplay of global and local threats, with threat actors carrying out attempted intrusions into critical sectors of Mexican society. Mexico also faces threats posed by the worldwide increase in multifaceted extortion, as ransomware and data theft continue to rise.

Threat actors with an array of motivations continue to seek opportunities to exploit the digital infrastructure that Mexicans rely on across all aspects of society. This joint blog brings together our collective understanding of the cyber threat landscape impacting Mexico, combining insights from Google’s Threat Analysis Group (TAG) and Mandiant’s frontline intelligence. By sharing our global perspective, especially during today’s Google for Mexico event, we hope to enable greater resiliency in mitigating these threats.

Cyber Espionage Operations Targeting Mexico

As the 12th largest economy in the world, Mexico draws attention from cyber espionage actors from multiple nations, with targeting patterns mirroring broader priorities and focus areas that we see elsewhere. Since 2020, cyber espionage groups from more than 10 countries have targeted users in Mexico; however, more than 77% of government-backed phishing activity is concentrated among groups from the People’s Republic of China (PRC), North Korea, and Russia.

Government-backed phishing activity targeting Mexico

Figure 1: Government-backed phishing activity targeting Mexico, January 2020 – August 2024

The examples here highlight recent and historical examples where cyber espionage actors have targeted users and organizations in Mexico. It should be noted that these campaigns describe targeting and do not indicate successful compromise or exploitation.

PRC Cyber Espionage Activity Targeting Mexico

Since 2020, we have observed activity from seven cyber espionage groups with links to the PRC targeting users in Mexico, accounting for a third of government-backed phishing activity in the country.

This volume of PRC cyber espionage is similar to activity in other regions where Chinese government investment has been focused, such as countries within China’s Belt and Road Initiative. In addition to activity targeting Gmail users, PRC-backed groups have targeted Mexican government agencies, higher education institutions, and news organizations. 

North Korean Government-Backed Groups Targeting Mexico

Since 2020, North Korean cyber actors have accounted for approximately 18% of government-backed phishing activity targeting Mexico. Similar to their targeting interests in other regions, cryptocurrency and financial technology firms have been a particular focus.

One of the emerging trends we are witnessing globally from North Korea is the insider threat posed by North Korean nationals gaining employment surreptitiously at corporations to conduct work in various IT roles. We note the potential for this threat to present a future risk to Mexican enterprises given historical activity by North Korean threat actors in Mexico and the challenges associated with the expansive problem of North Korean actors attempting to gain employment in other countries. 

Russian Cyber Espionage Activity Targeting Mexico

Russian cyber espionage groups have targeted users in Mexico regularly for several years; however, since the start of Russia’s war in Ukraine, Russian activity targeting Mexico has scaled back considerably—likely an indication of Russia’s efforts to focus resources on Ukrainian and North Atlantic Treaty Organization (NATO) targets in the context of the Russia-Ukraine war. Of the four Russia-backed groups observed targeting Mexico, over 95% of the related phishing activity comes from one group, APT28 (aka FROZENLAKE). 

Since 2020, Russian cyber actors have accounted for approximately one-fifth of government-backed phishing activity targeting Mexico. However, in 2023 and 2024, Russian cyber actors only account for less than 1% of government-backed phishing activity targeting Mexico.

Commercial Surveillance Vendors 

Spyware is typically used to monitor and collect data from high-risk users like journalists, human rights defenders, dissidents, and opposition-party politicians. These capabilities have grown the demand for spyware technology, making way for a lucrative industry used to sell to governments and nefarious actors the ability to exploit vulnerabilities in consumer devices. Google offers a range of tools to help protect high-risk users from online threats.

Over the past several years, open sources have reported multiple cases involving the use of spyware to target many sectors of Mexican civil society, including journalists, activists, government officials, and their families in Mexico. TAG has previously highlighted the negative outcomes of commercial spyware tools, including the proliferation of sophisticated cyber threat capabilities to new operators and sponsors, the increasing rates of zero-day vulnerability discovery and exploitation, and harm to targets of these tools. Though the use of spyware typically only affects a small number of human targets at a time, its wider impact ripples across society by contributing to growing threats to free speech and the free press and the integrity of democratic processes worldwide. TAG continues to observe evidence of several commercial surveillance vendors operating in Mexico. As recently as April 2024, TAG observed spyware being used in Mexico with Mexican news-themed lures.

Insights on Cyber Crime Targeting Users and Enterprises in Mexico

Cyber crime represents a common, moderate-impact threat to Mexico. Notably, we have observed a variety of operations, including ransomware and extortion, targeting of banking credentials, cryptomining, and threat actors offering compromised access and/or credentials for sale. TAG continues to detect and disrupt multiple financially motivated groups targeting users and organizations in Mexico. Of these groups, three of the top four most frequently observed groups in the past year have been initial access brokers for extortion groups. Mandiant observed evidence of threat actors using a variety of initial access vectors, including phishing, malvertising, infected USB drives, and password spray. This initial access subsequently supported threat activity including ransomware and extortion operations, cryptomining, and threat actors offering compromised access and/or credentials for sale.

Like other countries in the region, Mexico is affected by threat activity from actors primarily active in Latin America as well as operations with global reach. A significant amount of observed campaigns focus on stealing credentials for banking or other financial accounts, including use of banking trojans such as METAMORFO aka “Horabot,” BBtok, and JanelaRAT. Many threat actors in the Latin American underground appear to focus on simpler operations in which they can quickly and easily generate profits, such as payment card theft and fraud.

Financially motivated actors most frequently observed in Mexico

Figure 2: Financially motivated actors most frequently observed in Mexico, Q3 2022 – Q2 2024

Extortion’s Impact on Mexico

Extortion operations, including ransomware, multifaceted ransomware, and extortion, continue to affect organizations across regions and industries, including Mexico, leading to significant financial losses and business disruption. For detailed guidance on defensive strategies for ransomware, please see our blog post: Ransomware Protection and Containment Strategies: Practical Guidance for Hardening and Protecting Infrastructure, Identities, and Endpoints and the accompanying white paper

Mandiant tracks multiple data leak sites (DLSs) dedicated to releasing victim data following ransomware and/or extortion incidents in which victims refuse to pay a ransom demand. From January 2023 to July 2024, Mexico was surpassed only by Brazil as the Latin American and Caribbean country most affected by ransomware and extortion operations, based on counts of DLS listings, though the global distribution of extortion activity as indicated by DLS listings remains heavily skewed towards the U.S., Canada, and Western Europe. The most frequently impacted sectors in Mexico include manufacturing, technology, financial services, and government. DLSs that most often listed Mexican organizations include LockBit, ALPHV, and 8BASE.

Data leak listings for Mexican organizations by industry

Figure 3: Data leak listings for Mexican organizations by industry

Impersonating Official Government Services to Distribute Malware 

Malware distribution campaigns targeting users in Mexico frequently use tax- and finance-themed lures to convince recipients to open malicious links or files. Throughout 2023 and into 2024, Mandiant observed UNC4984 activity distributing either malicious browser extensions or the SIMPLELOADER downloader using multiple distribution vectors, including using email lures for malware distribution. The malicious websites leveraged in these campaigns often masquerade as tax- or financial-related Chilean or Mexican government websites, and the malicious browser extensions specifically target Mexican bank institutions.

UNC4984 website spoofing the Mexican Tax Administration Service (SAT) prompting users to download a malicious browser extension

Figure 4: UNC4984 website spoofing the Mexican Tax Administration Service (SAT) prompting users to download a malicious browser extension

Another financially motivated group, tracked as UNC5176, uses emails and malicious advertisement (aka “malvertising”) campaigns to compromise users from various countries, including Brazil, Mexico, Chile, and Spain. Mandiant observed multiple malicious email campaigns delivering the URSA (aka Mispadu) backdoor to Latin American organizations in multiple industries, including a December 2023 UNC5176 campaign spoofing Mexico’s state-owned electric utility, the Comisión Federal de Electricidad. In April 2024, an UNC5176 phishing campaign distributed URSA to organizations primarily located in Latin America using malicious PDF attachments containing an embedded link to a ZIP archive. In some incidents, the ZIP archives were hosted and retrieved from legitimate file-hosting services such as S3 buckets, Azure, Github, and Dropbox.

Screenshot of phishing email

Figure 5: Screenshot of phishing email

Using Threat Intelligence to Protect Users and Customers

Google uses the results of our research to improve the safety and security of our products, making them secure by default. Chrome OS has built-in, proactive security measures to protect from ransomware attacks, and there have been no reported ransomware attacks ever on any Chrome OS device. Google security teams continuously monitor for new threat activity, and all identified websites and domains are added to Safe Browsing to protect users from further exploitation. We also deploy and constantly update Android detections to protect users’ devices and prevent malicious actors from publishing malware to the Google Play Store. We send targeted Gmail and Workspace users government-backed attacker alerts, notifying them of the activity and highly encouraging device updates and the use of Enhanced Safe Browsing for Chrome. Additionally, Google Cloud customers can access insight into these threats through our Google Threat Intelligence product announced earlier this year.

Conclusion 

Mexico will remain an attractive target for threat actors driven by diverse motivations. Global cyber espionage actors from the PRC, North Korea, and Russia as well as multinational cyber criminals pose longstanding threats. To effectively safeguard Mexican enterprises and users, it is important to understand this unique interplay of threats and adopt a proactive approach to cybersecurity.

We hope the analysis and research here helps to inform defenders in Mexico, providing fresh insights for collective defense. At Google, we are committed to supporting the safety and security of online users everywhere and will continue to take action to disrupt malicious activity to protect our users and enterprise customers and help make the internet safe for all.