Cyber Incident Victim: Prefeitura do Município de Itu
Date:
Aug 2024
Location:
Brazil
Summary
A ransomware attack disrupted municipal systems in Itu, near São Paulo, affecting citizen-facing services while leaving the main website operational. The Phobos group deployed the Faust variant, demanding unspecified bitcoin payments without disclosing a ransom amount. Critical services are being manually restored using Citizen Card data backups, causing operational delays, while hyperconverged HPE Simplivity 380 Gen10 servers sustained significant corruption. Recovery efforts involve municipal IT teams and infrastructure vendors HPE and AMR Mit Quality, with damage assessments and system reconstruction ongoing. The mayor acknowledged the attack coincided with election season but refrained from confirming political motives beyond the disruption to digital public services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On August 12, 2024, the municipal systems of Itu, São Paulo, suffered a ransomware attack attributed to a group identifying as "Phobos," deploying a variant called "Faust." The attack occurred overnight, paralyzing internally hosted servers and disrupting digital citizen services accessible through the Itu Digital platform (cidadao.itudigital.sp.gov.br), though the city’s main website remained operational. Essential services, including public assistance channels, were forced into manual operations, significantly slowing response times. The municipal press office confirmed that partial service restoration relied exclusively on data from the Cartão Cidadão (Citizen Card) system, as other compromised datasets remained inaccessible. No specific ransom demand or payment amount was disclosed, though attackers provided generic Bitcoin payment instructions and Faust ransomware-associated contact emails. Mayor Guilherme Gazzola publicly acknowledged the incident via Instagram and Facebook, emphasizing that all internally hosted systems were corrupted and linking the timing to Brazil’s electoral period, which he suggested could incentivize politically motivated disruptions for Itu’s 175,000 residents.
Technical assessments revealed the attackers directly targeted hyperconverged infrastructure, specifically HPE Simplivity 380 Gen 10 servers, bypassing existing digital security measures. Recovery efforts involved municipal IT teams and third-party infrastructure providers AMR Mit Quality and HPE Hewlett Packard Enterprise, focusing on system reconstruction rather than immediate full restoration. Damage evaluation remained ongoing, with no estimated recovery timeline provided. Manual processing of citizen requests continued as the municipality prioritized rebuilding core public service systems. The city did not confirm data exfiltration or specify operational impacts beyond service delays but noted all hyperconverged server-hosted applications required remediation. Mayor Gazzola reiterated commitments to restoring digital services but cautioned residents about prolonged manual operations during the recovery phase.