Cyber Incident Victim: Andrade Gutierrez
Date:
Sep 2022
Location:
Brazil
Summary
A Brazilian multinational conglomerate suffered a significant data breach involving the theft of 3TB of corporate and employee information by the Dark Angels hacking group. The compromised data included emails, names, passport details, payment information, tax IDs, health insurance records of over 10,000 employees, and sensitive blueprints for major infrastructure projects such as ports, airports, and facilities used in international sporting events. Attackers exploited an unpatched server vulnerability to access municipal and state tax authority credentials hidden within emails. The organization, which had previously settled corruption charges related to a major scandal, declined to comment on the incident despite evidence of the breach being shared with media outlets.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In September–October 2022, hackers identifying as Dark Angels breached servers belonging to Brazilian engineering conglomerate Andrade Gutierrez, exploiting an unpatched vulnerability to exfiltrate approximately 3TB of corporate and employee data. The stolen data included internal emails containing embedded passwords potentially granting access to municipal and state tax authority accounts, alongside sensitive employee records such as names, email addresses, passport details, payment information, tax ID numbers, and health insurance data for over 10,000 individuals. The attackers also extracted confidential project blueprints detailing infrastructure developments managed by the company, including ports, airports, and facilities constructed for the 2014 FIFA World Cup and 2016 Olympic Games in Brazil. The breach remained unresolved as of March 2023, with the initial vulnerability reportedly still unpatched. Dark Angels shared a 15GB sample of the stolen data with The Brazilian Report to substantiate their claims, though Infosecurity Magazine could not independently verify the dataset’s authenticity.
The incident exposed significant operational and reputational risks for Andrade Gutierrez, a multinational firm with over 200,000 employees and multibillion-dollar revenue streams across infrastructure, energy, and transport sectors. Compromised employee credentials and tax authority access pathways raised concerns about secondary fraud or regulatory breaches, while the theft of proprietary construction blueprints threatened competitive and contractual security. The breach compounded existing reputational challenges for the conglomerate, which had previously settled a $381 million corruption fine in 2018 related to Brazil’s Lava Jato scandal involving high-profile political figures. Andrade Gutierrez did not publicly acknowledge the cyberattack or provide details on containment measures, incident detection methods, or system recovery efforts. A company spokesperson declined to comment when contacted by Infosecurity Magazine, leaving the scope of operational disruptions and remediation actions unconfirmed.