Cyber Incident Victim: Servicio de Administración Tributaria de Piura
Date:
Mar 2025
Location:
Peru
Summary
The Rhysida ransomware group claimed to have taken over Peru’s government domain gob.pe and demanded a five‑bitcoin ransom, sharing documents allegedly stolen from the portal. Authorities said the main government site remained uncompromised and services continued, but they confirmed that attackers accessed the tax administration website in the regional capital Piura. The Tax Administration Service in Piura reported a cyberattack that disrupted its operations, with service restored within two days, and stated that no data were taken during the incident. Federal officials urged all state entities to report cyber incidents to the National Centre for Digital Security and to rely only on official information to prevent confusion.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On Thursday, March27, 2025, Peru’s Ministry of Government and Digital Transformation issued a statement addressing a claim posted on the Rhysida ransomware gang’s leak site that the group had taken over the government’s domain gob.pe. The statement said the group had demanded a ransom of five bitcoin, valued at approximately $472,000, and had shared documents allegedly stolen from the portal. The Presidency of the Council of Ministers clarified that the main government website remained uncompromised and its services continued operating throughout the week, but acknowledged that the hackers had gained access to the tax administration website of the regional capital Piura.
As soon as the possible security event was identified, the National Digital Security Department (CNSD) activated preventive alerts to mitigate any potential risks. On Friday, March 29, 2025, the Tax Administration Service in Piura released its own statement confirming that it had dealt with a cyberattack early that morning. The incident affected the organization’s operations, but service was restored within 48 hours according to Piura officials. The IT team reported the incident to Piura’s provincial prosecutor’s office and stated that no data had been stolen during the attack.
Federal authorities said they were investigating the incident and working with officials in Piura on the matter. The Rhysida ransomware group is known for previous attacks on government entities in Kuwait and the Dominican Republic, as well as breaches of local governments in the United States and Portugal. In the United States, the group’s attacks on the cities of Columbus and Seattle caused significant disruptions and led to the leakage of sensitive information. Rhysida has also been noted for targeting children’s hospitals, prominent healthcare networks, Christian charities and libraries.
In response to the event, federal officials reminded all state‑level entities that any cyber incident must be reported to the National Centre for Digital Security. They urged the public to rely only on information from official government sources and to avoid sharing messages that could generate confusion or unjustified alarm. The notice added that Peruvians had remained on heightened alert for cyber threats since October 2024, when one of the country’s largest banks apologized for a data breach that may have exposed information from up to three million customers.