Cyber Incident Victim: Grupo GTD
Date:
Oct 2023
Location:
Chile
Summary
A Chilean telecommunications company suffered a ransomware attack disrupting its Infrastructure-as-a-Service platform, impacting VoIP, VPNs, and television systems. The Rorschach gang (aka BabLock) deployed the attack using DLL sideloading vulnerabilities in legitimate security software like Trend Micro and BitDefender to inject malicious payloads via Notepad processes, enabling rapid file encryption. Chile's national CSIRT confirmed the incident, noting partial service outages and advising connected organizations to scan for compromises using shared indicators of compromise including specific malicious executables. The company isolated affected systems by disconnecting its IaaS platform to contain the attack, while some customer-facing communication channels remained operational.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On October 23, 2023, Chilean telecommunications conglomerate Grupo GTD experienced a cybersecurity incident disrupting multiple services within its Infrastructure as a Service (IaaS) platform. The attack impacted data centers, internet access, Voice-over-IP (VoIP) telephony, VPNs, and over-the-top (OTT) television systems, though core communication services and ISP operations remained functional. GTD promptly issued notifications acknowledging a "partial impact" attributed to the incident, emphasizing operational transparency while confirming the deliberate disconnection of its IaaS platform from the internet to contain the attack’s propagation. Chile’s Computer Security Incident Response Team (CSIRT) subsequently confirmed the event as a ransomware attack, linking it to disruptions affecting public sector websites reliant on GTD’s infrastructure. The government directive under Decree No. 273 required all state agencies utilizing GTD’s IaaS to report potential cascading impacts, reflecting the incident’s broader implications for public services.
Technical analysis revealed the involvement of Rorschach ransomware, also known as BabLock, a sophisticated encryptor first documented in April 2023 for its rapid encryption capabilities—compromising devices within approximately four and a half minutes. Attackers exploited DLL sideloading vulnerabilities in legitimate executables from Trend Micro, BitDefender, and Palo Alto Networks’ Cortex XDR to deploy a malicious DLL, which injected the ransomware payload ("config[.]ini") via Notepad processes. CSIRT disseminated indicators of compromise (IOCs), including filenames like u.exe and d.exe (legitimate security software binaries repurposed for sideloading) and associated malicious DLLs. Mitigation guidance urged connected organizations to conduct comprehensive antivirus scans, audit system accounts and performance metrics, monitor for unauthorized data exfiltration, restrict SSH access, and maintain updated system inventories. The incident followed an earlier 2023 ransomware attack against Chile’s military by the Rhysida group, though no direct connection between these events was established in available reporting. GTD did not publicly disclose additional operational or forensic details beyond initial notifications, and recovery timelines remained unspecified at the time of reporting.