Cyber Incident Victim: Government of Brazil
Date:
Sep 2022
Location:
Brazil
Summary
A ransomware group known as Everest claimed responsibility for exfiltrating approximately 3TB of highly sensitive data from the Brazilian government's systems, including passports, national identity documents, tax records, and personal details such as addresses and birthdates. The attackers published samples of compromised passports on their leak site and allegedly attempted to sell the stolen data, though the breach remained unverified by authorities. This incident followed prior attacks by the same group against the victim, leveraging tactics like network access sales and ambiguous leak threats to pressure ransom payments.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early September 2022, the Everest ransomware group claimed responsibility for a cyberattack against the Brazilian federal government, specifically targeting the gov.br network—a central platform for government services. The group announced the theft of over 3TB of sensitive data, which they later listed for sale on their leak site. According to their post, the compromised data included passports, CPF (Cadastro de Pessoas Físicas) tax numbers, RG (Registro Geral) identity documents, tax records, addresses, dates of birth, and full names. Screenshots of Brazilian passports were published by the threat actors to substantiate their claims, though the Brazilian government did not publicly confirm the breach at the time. DarkFeed, a dark web intelligence monitor, first observed Everest offering the 3TB dataset at the start of September, though the exact nature of the data remained unclear until the group’s leak site update. The incident marked a continuation of Everest’s targeting of Brazilian government entities, following a 2021 attack on the National Treasury.
The stolen data types posed severe risks of identity theft, financial fraud, and espionage due to their inclusion of biometric identifiers (fingerprints), tax information, and nationally recognized identity documents. Everest employed double-extortion tactics, threatening to leak the data unless a ransom was paid while simultaneously monetizing access to the breached networks. The group had previously been noted for innovating this approach, including selling network access to other malicious actors. Despite media outreach by Cybernews, the Brazilian government did not issue a public statement or confirmation regarding the breach’s validity or scope by the time of reporting. The lack of disclosure left the extent of operational disruption or containment efforts unclear, though the sheer volume of exfiltrated data suggested significant exposure across citizen and governmental systems. Historical context indicated Everest’s operations since 2018, with a Russian-speaking affiliation and a pattern of high-impact attacks on public sector infrastructure.