Threat groups operating in Latin and South America have increasingly focused their efforts on government agencies and contractors. Over the past year, this sustained interest has made the public-administration sector the most frequently impacted by data exposure incidents in the region.
In mid-May, a group known as La Pampa Leaks claimed unauthorized access to Uruguay's government-sponsored identity service, TuID, managed by telecommunications provider Antel. The group reportedly monetized the information by establishing a citizen-data lookup service. In February, a threat group called the Chronus Group claimed to have acquired data from 25 different Mexican government agencies. Similarly, in March, Colombia's health ministry recorded more than 23 million unauthorized access attempts.
The region has developed its own distinct threat situation, with local groups targeting government agencies and municipal infrastructure in nations such as Chile, Colombia, Mexico, and Uruguay. Fabio Assolini, lead security researcher at Kaspersky's Global Research and Analysis Team (GReAT), notes that these groups operate with a deep understanding of the regional geopolitical situation. Their operational methodologies are shifting toward pure extortion campaigns, intentionally bypassing the deployment of encryption tools to focus solely on high-volume data exfiltration.
Organizations in Peru, Mexico, and Brazil are also heavily targeted. Each nation experienced at least 90 data exposure incidents in the past year, placing them in the top 10 most-targeted countries globally, according to telemetry from cyber-risk platform Bitsight. Furthermore, public administration was the most affected industry sector, accounting for 21% of all recorded incidents (543 total) over the past 12 months.
Emma Stevens, a threat intelligence researcher at Bitsight, explains that the geopolitical environment in Latin America adds complexity to the region's security posture. Elections, political differences, economic instability, and foreign influence concerns make government institutions attractive targets for hacktivists, state-aligned groups, and financially motivated actors. Recent activity across Uruguay, Paraguay, Argentina, and Mexico indicates a sustained, organized focus on public-sector and citizen-adjacent systems rather than isolated events.
Regional methodologies favor pure extortion
Threat actors operating in Latin America utilize initial access and lateral movement strategies comparable to those of major ransomware operations, but their subsequent activities differ significantly. Instead of encrypting systems, they prioritize quietly extracting government databases. Assolini notes that their strategy relies heavily on psychological and public pressure, similar to the methods used by groups like ShinyHunters.
In late May, the extortion group Bashe (also known as APT73) claimed to have compromised Grupo Petersen, an engineering and construction company involved in numerous public-works projects in Argentina. Interestingly, regional groups are known to fabricate data exposure claims by combining publicly accessible information or reusing records from previous, unrelated incidents. Following La Pampa Leaks' claims, for instance, Antel issued a statement confirming that core authentication mechanisms remained secure, clarifying that "passwords, signature PINs, private keys associated with digital certificates, or credentials were not compromised."
While threat actors globally make broad claims to pressure organizations, this deception tactic is particularly prevalent in Latin America. Groups frequently recycle historical data from older, well-known incidents, mix it with auto-generated records, and falsely attribute the resulting dataset to a new corporate or government target.
Regulatory compliance as leverage
A contributing factor to the focus on public agencies is the evolving regulatory field. As more nations in the region adopt strict cybersecurity regulations, public agencies facing extortion demands must weigh the immediate pressure against potential legal and political consequences. Threat actors recognize that regulatory compliance can be used as leverage. By threatening to publish sensitive citizen data, they attempt to capitalize on an organization's concerns regarding government fines and reputational impact.
To mitigate these risks, organizations should build resilience in the specific areas that threat actors consistently target. Stevens recommends prioritizing the remediation of exposed services, weak identity controls, unpatched vulnerabilities, and open ports.
For regional Computer Emergency Response Teams (CERTs) and government IT teams, securing identity systems and exposed infrastructure is the recommended starting point. These foundational controls prevent unauthorized parties from escalating a single weak point into a broader public-sector security incident.