Cyber Incident Victim: Macaé Municipality
Date:
Jun 2023
Location:
Brazil
Summary
A ransomware attack targeted Macaé Municipality's internal network, compromising file servers, systems, and databases through suspected local vectors like USB drives or VPN connections. Critical servers were infected, corrupting data and rendering most internal systems inoperable, though public-facing services remained unaffected. The municipality isolated affected equipment, initiated forensic analysis, and requested legal action alongside a police cybercrime report. Unrecovered data from tax exemption protocols necessitated direct outreach to impacted taxpayers for re-submission. While no dedicated leak site listed the incident, the organization proceeded with IT modernization plans—including enhanced security infrastructure—and maintained COVID-19 vaccination operations despite the disruption.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On June 3, 2021, during the Corpus Christi holiday, Macaé Municipality’s City Hall experienced a cyberattack involving malware that targeted network file servers, systems, and databases. The municipality confirmed the incident in a June 9 statement, classifying it as a ransomware-type attack due to the corruption of critical data and widespread unavailability of internal systems. Upon detecting the intrusion, municipal IT personnel isolated affected equipment to assess the malware’s impact and origin. Marcos Lemos, Assistant Secretary of Science and Technology, reported that key servers were compromised, rendering most internal operations inoperable. Forensic analysis of network traffic indicated the attack vector originated internally—potentially via infected USB drives, the local network, or vulnerabilities in the Home Office VPN—rather than through direct internet-facing systems. Public services hosted online, including the City Hall portal, remained functional throughout the incident, limiting disruptions to external users.
The attack caused irreversible damage to portions of the IPTU tax exemption protocol system, specifically corrupting data for protocol numbers 90.415 to 90.530. The Finance Secretariat publicly requested affected taxpayers to email their protocol details for manual rescheduling of in-person appointments at its headquarters. Internally, the municipality initiated modernization plans involving upgraded employee computers, a dedicated security center, cloud migration, and enhanced network management to bolster future resilience. Legally, the Assistant Secretary formally notified the Municipal Attorney General to pursue investigative and regulatory actions, including filing an incident report with the Police Office for the Repression of Computer Crimes (DRCI). Despite the attack’s severity, municipal operations such as COVID-19 vaccination campaigns proceeded without reported interruptions, and no ransomware group claimed responsibility or leaked data on dedicated leak sites during the observed timeframe.