Cyber Incident Victim: Autoridad para la Reconstrucción con Cambios
Date:
Mar 2023
Location:
Peru
Summary
A Peruvian reconstruction agency responsible for rebuilding infrastructure damaged by El Niño was listed on a leak site operated by the Dark Power ransomware group, which claimed responsibility for an attack. The agency had no public acknowledgment or response to the incident on its platforms, with Peru’s National Center for Digital Security confirming it would coordinate with the entity to address the reported security breach following external notification. Dark Power provided no interactive communication channels despite offering data access via Tox, hindering independent verification of the claimed compromise.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or about March 9, 2023, the Dark Power ransomware group publicly claimed responsibility for a cyberattack against Peru’s Autoridad para la Reconstrucción con Cambios (ARCC), an agency tasked with leading reconstruction efforts following infrastructure damage caused by the El Niño Costero phenomenon across 13 regions. Dark Power listed ARCC on its leak site, marking one of the group’s earliest known operations since its emergence. The attackers invited potential buyers to contact them via Tox to download stolen files, though no samples or specific data types were publicly disclosed at the time. DataBreaches.net observed the listing and attempted to contact Dark Power through Tox to verify the claims but received no response due to the group’s offline status during outreach attempts. Concurrently, DataBreaches emailed ARCC’s official communications channels on March 9 to inquire about the incident but received no reply. No public statements, incident notifications, or service disruption alerts appeared on ARCC’s website or social media platforms following the leak site publication, leaving the claim unverified by the agency itself.
Peru’s National Center for Digital Security (CNSD) acknowledged the incident after DataBreaches escalated the alert to them, responding that they would coordinate with ARCC to address the reported security incident. This CNSD response, documented on March 9, constituted the only official acknowledgment linked to the attack, though no further details about investigation timelines, forensic findings, or mitigation measures were disclosed publicly. Dark Power did not subsequently release substantive proof of data exfiltration—such as file samples, database excerpts, or operational disruption evidence—through its leak site or other channels during the period covered by available reporting. The lack of transparency from ARCC regarding the intrusion’s scope, including potential access to reconstruction project data, beneficiary information, or internal communications, left the severity and legitimacy of the breach unresolved. No reports of data misuse, financial demands, or secondary leaks attributable to the incident emerged in subsequent public disclosures by threat actors or Peruvian authorities.