Cyber Incident Victim: Ministry of Environment and Sustainable Development
Date:
Jun 2025
Location:
Paraguay
Summary
The Ministry of Environment and Sustainable Development was among several government portals accessed without authorization after attackers used stolen credentials obtained via infostealer malware. The breach also affected the Ministry of Public Works and Communications, the National Directorate of Health Surveillance, and the General Audit of the Executive Branch, and was contained following activation of the national cyber incident response protocol. Investigations confirmed that the intrusions resulted from credential theft and were mitigated through coordinated actions by the respective information security officers and the national CERT.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On June 1, 2025, the Ministry of Technologies of Information and Communication (MITIC) issued a statement indicating that vulnerabilities had been detected in the web portals of several state institutions. The statement said that a coordinated response had already been provided to the affected entities and that the incidents had been contained through the Paraguayan Cyber Incident Response Center (CERT‑PY). MITIC reported that it had immediately activated its incident response protocol and was working closely with the Information Security Officers of each affected institution. The institutions identified as compromised were the Ministry of Public Works and Communications (MOPC), the National Directorate of Health Surveillance (DINAVISA), the General Audit of the Executive Branch (AGPE), and the Ministry of Environment and Sustainable Development (MADES).
According to the investigations carried out by MITIC and CERT‑PY, the four cases resulted from unauthorized access obtained through the use of leaked user credentials. The leakage generally stemmed from infection by a malware known as an “infostealer,” which is designed to extract and exfiltrate valuable data from compromised systems. Each of the affected portals experienced illicit entry that allowed attackers to retrieve information, although the statement did not specify the exact data taken. The investigation confirmed that the method of compromise was consistent across all four incidents.
MITIC communicated that the vulnerabilities had already been contained and that no further unauthorized access was persisting at the time of the statement. To facilitate ongoing reporting, the agency indicated that any cybersecurity incident should be directed to the email address [email protected]. Additionally, MITIC noted that CERT‑PY publishes detailed statistics on handled reports, which are publicly accessible on its website. The statement concluded by affirming that the response actions had been coordinated and that the affected institutions were being monitored for any residual effects.