Cyber Incident Victim: Government of Brazil
Date:
Oct 2023
Location:
Brazil
Summary
A cyberattack targeted the municipal administration of Araguari and nine other Brazilian municipalities, resulting in the deletion of critical data including population registries and disruption of inter-departmental communications. The incident primarily impacted municipal accounting systems, with recovery efforts expected to take up to ten days. The affected municipalities' shared service provider is working to restore operations, though no data exfiltration occurred. In response, Araguari announced plans to enhance data protection measures through cloud backups and redundant systems to mitigate future risks, while local authorities investigate the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On October 22, 2023, a cyberattack disrupted municipal operations in Araguari, Brazil, and nine other municipalities sharing the same service provider. The attackers deleted data from municipal management systems, causing widespread operational paralysis. Critical functions affected included inter-departmental communication, municipal accounting systems, and citizen registration databases. The Araguari city government reported complete loss of general population records, severely impacting public service delivery. Technical staff worked continuously to restore systems, with full recovery estimated to require up to 10 days. By October 24, some affected municipalities had partially restored functionality. Forensic analysis confirmed no data exfiltration occurred—only deletion. The incident forced suspension of financial operations like expenditure authorizations (empenhos) and disrupted all electronic document exchanges between city departments. Civil Police initiated an investigation to identify perpetrators, though no attribution claims emerged. In response, Araguari's administration announced plans to implement enhanced security measures including cloud-based backups and redundant systems to prevent future data loss.
Separately, Brazilian internet service providers faced coordinated DDoS attacks beginning October 20, 2023, coinciding with cyberactivist group IRoX Team's declared "cyber war" against Israel's supporters. The InternetSul Association reported thousands of providers experiencing service instability, particularly in southern states where some users endured over two hours of complete outage. While national infrastructure monitoring points (IX.br) and telecom regulator Anatel detected no significant anomalies, regional providers documented intermittent connectivity and performance degradation. The Brazilian Association of Internet Providers (Abrint) noted increased DDoS extortion attempts involving Bitcoin ransom demands over preceding months, though no direct linkage to the IRoX campaign was confirmed. Affected providers implemented mitigation tools, registered police reports detailing attack timelines and user impact, and maintained customer communication regarding restoration efforts. Simultaneous attacks targeted multiple global entities including US county networks, Canadian healthcare systems via provider TransForm, Chilean telecom infrastructure at Grupo GTD, and French/Italian healthcare facilities during this period, though no technical evidence connected these incidents to the Brazilian municipal or ISP attacks.