In case you’re unaware, there’s significant unrest in Venezuela. The country has had political and civil unrest for years, but recently came under increased global scrutiny due to the continued collapse of its economy, and its worsening living conditions. Its people have suffered from power outages, water shortages and lack of toilet paper, food, and medicine. Opponents of President Nicolás Maduro blame these conditions on his government and corruption.
The presidency of Nicolás Maduro is considered by a number of states to be a dictatorship. In late January, Juan Guaidó organized an opposition movement and declared the government of Nicolás Maduro to be invalid. Based on an interpretation of Article 233 of the Constitution of Venezuela, Juan Guaidó also declared himself as acting president of Venezuela.
At the time of publishing this article, Nicolás Maduro and Juan Guaidó both claim to be the president of Venezuela. However, Maduro remains in control of key assets including the media, military, police, and the state-run oil company Petroleos de Venezuela SA, or PDVSA.
Fifty-four countries, including the United States and most of the European Union, publicly recognized the presidency of Guaidó. Meanwhile, countries such as Russia, China, Iran and Turkey support Maduro. Venezuelans are caught in the middle of an increasingly volatile situation.
This political environment has driven underground market behavior, much of which is perpetrated on the dark net and other underground forums. GroupSense’s team of researchers have been tracking illicit activity on the dark web related to the civil unrest and unstable political environment in Venezuela and have noticed an increased number of fraud and apparent breaches, as well as sales of stolen property, IP and data.
These incidents include:
- Breaches of Venezuelan government institutions;
- Leaks of voter data;
- Leaks of military logistics; and
- Potential leverage of the dark net and bitcoin to exfiltrate money from state-owned oil companies.
Let’s start with PDVSA. It appears there is an organized effort (or scam) to sell shares in the state-owned oil conglomerate Petróleos de Venezuela, S.A (PDVSA), of which Citgo is a wholly-owned subsidiary. Much of the country’s wealth is centralized in PDVSA oil reserves, which are the largest in the world. The online actors are offering “shares” in PDVSA and propagating ad pitches like “become an OIL tycoon” and “Want to become a shareholder in PDVSA?” The transactions happen through anonymous email and cryptocurrency exchanges, followed by a promise letter on company letterhead solidifying the transaction.
While this is likely a scam, other observed activity indicates there may be legitimate aspects to the offers. GroupSense also observed fraud kits around securing free petrol, indicating someone inside PDVSA is likely involved. If this were not a scam, this would be a likely way to capitalize on the state’s assets without obvious exfiltration of state funds. While the site explicitly states they are not “for Maduro,” Maduro and his colleagues would stand to benefit from these transactions.
Our researchers have been tracking a threat actor group believed to operate out of Latin America and with ties to Russian and Ukrainian threat actors. This group is active and typically has high quality, accurate leak and fraud data. Below is a screenshot from a popular illicit forum explaining how to secure free petrol (gasoline) from PDVSA facilities.
The actor on the forum states, “This system will allow you to generate codes with amounts of $ 50 to $ 60 dollars together with the company citgo the oil industry ‘PDVSA’ in Venezuela facilitates us to generate codes that can be sold or manage those you want.”
This same threat group has offered for sale critical Venezuelan military secrets, allegedly culled from a hacked Venezuelan Air Force database. This data purportedly includes military personnel records, information about military bases, data on users communicating via VoIP, and information about specific military units and defense staff.
This threat actor group is also attempting to sell other breached data that allegedly includes classified files such as Venezuelan aviation, army and police databases and medical records of doctors and patients; information about the president; insurance databases; and a database containing information about participants and elector centers from the 2017 elections.
Another actor has recently dumped critical voter data from a 2018 database containing 19 million records.
While government breaches are not a new thing for Venezuela or any other nation, the frequency and number of successful breaches affecting Venezuela seems to have escalated in the last year. Our team has observed an average of seven institutional breaches each from Mexico, Argentina, Ecuador and Columbia, while Venezuelan institutions have suffered more than 17 successful breaches.
Regardless of motivation, the civil unrest in Venezuela has made it a target, and perhaps an easier one at that. The distraction caused by the current political climate has likely weakened security due to neglect, lack of resources, and loss of pride and ownership of the outcomes, opening the door to disloyal insider threat activity. Further, external parties motivated by an interest in exacerbating the unrest or to profit from the fragile condition of Venezuela could be exploiting existing vulnerabilities. Access to these data sets could also play a role in manipulating the state and the citizens. Knowledge is power, and in Venezuela, the data (power) is available to the highest bidder.
Governments must take an active stance in using cyber threat intelligence services to improve their information security and get ahead of threats like the ones Venezuela faces today. GroupSense is a proven and trusted partner to many governments and organizations critical to government infrastructure. Learn more about how we can help.