Cyber Incident Victim: Comisión Nacional de Valores

On June 7, 2023, the Comisión Nacional de Valores (CNV) of Argentina detected a cybersecurity incident on its systems. The attack was identified as being carried out using a malicious code of the ransomware variety, specifically identified as Medusa. This malware had successfully taken possession of a number of the organization's computer equipment. As a direct consequence of the attack, the CNV's online platforms were taken offline and rendered inoperable, disrupting the primary digital services of the national securities regulator.

Immediately upon detection, the CNV's incident response protocol was activated. The primary initial response action involved the isolation of the compromised computer equipment. This step was deemed critical to contain the threat and prevent the lateral movement of the malicious code within the organization's network. Furthermore, all external communication channels were severed to eliminate any potential pathways for the ransomware to propagate to external systems or for data to be exfiltrated. This containment strategy successfully brought the incident under control by cordoning off the affected systems from the rest of the network infrastructure.

Following the successful isolation and control of the attack, work commenced on the gradual restoration of services. The recovery process was implemented in a phased manner with the objective of achieving a full return to normal operations. This process was described as ongoing at the time of the public announcement, indicating a methodical approach to ensuring systems were clean and stable before being brought back online. The prioritization of services was guided by operational needs, with a focus on reestablishing critical functions to minimize the impact on the financial markets the CNV regulates.

The impact of the incident was primarily operational, with the main platforms of the organism rendered unavailable. Regarding the data involved, the information that was accessed by the attackers was characterized as public information. This data is routinely submitted by regulated entities into the Autopista de Información Financiera (Financial Information Highway), which serves as the principal communication channel between the CNV and the entities it oversees. The compromise was therefore limited to information already in the public domain and did not include sensitive non-public or personal data.

Despite the disruption to its digital platforms, the CNV maintained its core regulatory functions. The institution continued to process and approve submissions from regulated entities, including emissions and other procedures. These approvals were handled on a case-by-case basis according to the specific needs of each requirement, ensuring that market activities could continue with minimal interruption while the technical recovery was underway.

In response to the criminal nature of the attack, the CNV announced its intention to file a formal criminal complaint with the judicial authorities. This legal action, scheduled for the day following the initial announcement, was aimed at initiating an official investigation to determine the origin of the attack and to establish legal responsibility for the incident. This step underscored the treatment of the event not just as a technical failure but as a deliberate criminal act requiring law enforcement intervention. The public disclosure of the attack was factual and focused on the actions taken, providing assurance that the situation was under control while acknowledging the continued efforts toward full recovery.