Cyber Incident Victim: National Bolivarian Armed Forces of Venezuela
Date:
Mar 2019
Location:
Venezuela
Summary
A cyber-espionage group known as Machete conducted targeted attacks against the Venezuelan military, deploying spear-phishing emails containing malicious radiogram documents stolen from prior operations to deliver a backdoor trojan. The malware facilitated the theft of sensitive geographic information system files detailing military navigation routes and grid positions, with over half of the infected devices belonging to the victim's armed forces. The campaign represented a shift in the group's focus toward Latin America, also affecting neighboring countries' military entities, and utilized updated malware infrastructure distinct from earlier variants observed in previous global operations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Between March and May 2019, the advanced persistent threat group Machete conducted a cyber-espionage campaign primarily targeting Venezuelan military entities. ESET researchers observed at least 50 infected computers communicating with Machete's command-and-control servers during this period, with approximately 75% of these infections located in Venezuela. More than half of the compromised systems belonged to Venezuelan military organizations. The attackers employed spear-phishing emails containing malicious attachments, predominantly radiograms—authentic military communication documents stolen during prior operations. When opened, these files deployed Machete's custom backdoor trojan, enabling data exfiltration. The group specifically targeted geographic information system (GIS) files detailing military navigation routes, positioning data, and grid references, indicating strategic interest in terrain intelligence. Beyond Venezuela, the campaign also affected Ecuadorian military networks, demonstrating regional targeting patterns. ESET noted the group's operational shift toward Latin American targets in 2019, contrasting with their historically broader global focus since 2010.
Machete utilized an updated version of their malware distinct from variants analyzed by Kaspersky in 2014 and Cylance in 2017, though retaining core information-stealing functionalities. The new iteration maintained comparable command-and-control infrastructure but featured modifications in delivery mechanisms, code structure, and targeting specificity. Unlike previous campaigns that distributed generic malicious documents, this operation leveraged legitimate stolen military correspondence to enhance phishing credibility. The compromised systems provided persistent access to sensitive military GIS data, potentially exposing tactical movement patterns and strategic positioning information. ESET's report did not document mitigation efforts by Venezuelan authorities but highlighted the group's continued operational refinement, particularly their adaptation of authentic documents to bypass security controls. The incident underscored persistent threats to military networks in geopolitically sensitive regions through socially engineered attacks exploiting trusted communication formats.