Cyber Incident Victim: Instituto Nacional de Tecnologia Agropecuaria

On May 2, 2023, the Instituto Nacional de Tecnologia Agropecuaria (INTA), a decentralized public agency under the Argentine Ministry of Agriculture and Fisheries, publicly announced via its Twitter account that it had suffered a computer attack. The agency reported that the attack on its institutional IT services had been detected over the preceding weekend. Immediately upon detection, INTA activated its established security protocols. The organization stated it was working in conjunction with specialists from information security companies and was in close communication with Argentina's National Cybersecurity Directorate (CERT Argentina) to resolve the issue in accordance with the national regulatory framework. The scope of the attack was significant, affecting INTA's entire national network of more than 400 points across the country. Due to the severity and breadth of the compromise, the agency made the decision to suspend all institutional computer services entirely until it was deemed safe to begin a controlled restoration process.

Reporting from Clarin provided additional detail on the nature of the incident, citing an internal letter the agency had sent to its employees. This communication identified the event as a ransomware attack. The letter further specified that the threat actors behind the attack were demanding a payment of 2.5 million US dollars to release the encrypted systems and restore access to INTA. This was not the first cybersecurity incident of this kind for the agency; a previous ransomware attack attributed to the Everest group had been reported by a third party on Twitter in March of 2022. For the May 2023 incident, no specific ransomware group or threat actor was officially identified by INTA in its public statements, and the operation was not observed listed on any major ransomware leak site at the time.

The primary impact of the attack was the complete suspension of INTA's IT services, which crippled the operations of an organization responsible for contributing to the sustainable development of Argentina's agricultural, agri-food, and agro-industrial sectors through research and extension programs. With over 400 national points of presence offline, the agency's core functions were severely disrupted. The agency's public communications focused on its ongoing recovery efforts, expressing a hope to re-establish services in a controlled manner as soon as possible. Beyond the initial tweets and the internal letter reported by the press, INTA provided no further substantive public updates on the incident. Attempts by DataBreaches.net to contact the agency for an update via Facebook on May 6 were unsuccessful, as the website's contact page was also non-operational due to the attack, and no reply was received.

The organizational response involved a multi-faceted approach beginning with the activation of security protocols upon initial detection. This was followed by the engagement of external information security specialists to assist with the investigation and recovery efforts. Coordination with the national computer emergency response team, CERT Argentina, was also a key component of the response strategy, ensuring actions were aligned with national regulatory guidelines. The definitive containment action was the proactive and widespread shutdown of all institutional IT services to prevent further propagation of the ransomware and to secure the environment for restoration. The recovery process was described as focused on tasks to normalize the situation, with the intent to bring systems back online in a phased and controlled manner to ensure security. The agency's public communications strategy was conducted exclusively via Twitter, as its primary website and other contact methods were rendered inoperable by the attack. The full extent of any data exfiltration was not disclosed by the agency, and no data leaks were publicly associated with this specific incident at the time of reporting.