Adversary behavior in Latin America (LATAM) reflected innovation and tactical changes in the first half of the year. The result was changes in attacks in terms of both focus and methods. For instance, there was a continuous shift away from volumetric attacks to more direct-path, botnet-based TCP attacks (125 percent increase in TCP ACK floods) in LATAM, a trend seen globally since early 2021.
Likewise, adversaries shifted behavior when attacking vertical industries. Wired telecommunications carriers have always been a major target for DDoS attacks, predominantly driven by adversaries who target gamers. Although we’ve seen a decrease in attacks against both wired (-43 percent) and wireless (-17 percent) telecommunications, these two sectors are nearly equal in terms of being targets of choice by adversaries. The wireless vertical nearly topped the target list; if the trend continues into Q3, we may witness these two swap places for the first time since we began tracking these metrics. This could relate to gamers, who increasingly adopt 5G and use mobile hotspots if Wi-Fi is spotty or unavailable, or it could just reflect an increase in 5G devices as service providers continue to expand coverage.
Finally, we saw an increase the number of attacks that target both the financial sector and religious organizations. This trend likely stems from geopolitical issues. It should also be noted that religion plays an important role within LATAM—especially in Brazil, where most attacks occur. It comes as no surprise, then, that an increase in attacks on religious institutions coincides with important political events. But it is not just politics and religion that affect the cyber landscape. Even large entertainment events and conferences can send waves rippling through the internet. In fact, one noteworthy spike in DDoS attacks occurred right when Rio Carnival began and multiple large industry conferences were hosted in the country.
Changes in the financial services market throughout the region have not gone unnoticed by attackers, who ramped up attacks targeting commercial banking and card issuers.
Botnets and direct-path attacks have become the favored weapon of choice by adversaries focused on the LATAM region, which places these attacks in a class of their own.
Political tensions in Columbia spilled over into the cyberworld, with DDoS attacks corresponding to political events occurring there.
LATAM Data was drawn from…
By The Numbers
Despite seeing attacks in more than 45 countries within LATAM, five countries account for most of these attacks: Argentina (~3 percent of daily attacks), Brazil (~50 percent of daily attacks), Belize (~15 percent of daily attacks), Columbia (~15 percent of daily attacks), and Mexico (~10 percent of daily attacks). The remaining countries in LATAM make up only ~7 percent of any additional attacks.
Many times, the spikes we see in the DDoS threat landscape coincide with events that take place elsewhere in the world, including sporting events, elections, and other political activities. As an example, the graph below illustrates a spike in Belize on February 24 that coincides with when the Belizean government condemned the Russian invasion of Ukraine. In fact, previous assessments and articles show that any supporters of Ukraine have been targeted by cyberattacks in retaliation for doing so.
Brazil and Belize are not the only countries to suffer attacks because of political events and actions. In mid-June, Columbia experienced a significant increase in attacks that coincided with its presidential elections. Coincidence? Doubtful, considering that in August, Columbia nearly surpassed Brazil for DDoS attacks. This spike corresponded to a great deal of political upheaval related to the repression of a national strike and presidential election fallout.
Interestingly, countries in the LATAM region did not follow all the same global trends. For instance, there was a significant increase in DNS-based attacks in Q1 for this region, while the rest of the world maintained a steady decline.
There also was a surge in L2TP, ISAKMP, and OpenVPN attacks, all of which represent secure communications protocols—a trend not completely shared by the rest of the world. In the past, we have witnessed adversaries using specific protocols—think SIP or L2TP—to mask their malicious behavior and smuggle attack traffic past access control lists (ACLs) and other boundary defensive measures.
Although some vectors did not conform to the global norm, one of the more significant changes that did so stems from the continued increase in TCP-based attacks sourced from botnets and direct-path attack infrastructure (TCP ACK, TCP RST, TCP SYN, and TCP SYN/ACK amplification).
NOTE: It should be noted that many attacks are multi-vector and will include both TCP and UDP or some other combination. The above graphic is intended to show proportionality of distinct vectors used in attacks.
Further breaking down attacks by vector, it becomes clear just how pervasive botnet and direct-path attacks have become in LATAM. By the end of June, these types of attacks stand on their own.
Except for a huge spike in DNS-based attacks at the start of 2022, all other vectors aligned, growing and shrinking on the same trend line. The graph below shows synergy between DNS and UDP-based attacks that’s likely due to multivector attacks.
Despite many of the top-targeted sectors in LATAM seeing double-digit decreases in attacks, the region as a whole still experienced a 19 percent increase in attacks overall.
One contributor to that increase comes from the financial sector. Commercial banking saw a 63 percent increase in attacks, while credit card issuing went from 0 to 350+ attacks in 1.5 years. Interestingly, the growth in cyberattacks may directly correspond to the growth of the commercial banking industry in LATAM; however, it is also possible that DDoS attacks are being used as a smokescreen for other types of intrusion events.
A final concern is the ever-growing number of attacks against religious organizations in Latin America—especially in Brazil, where NETSCOUT has tracked a continuous increase in attacks against religious organizations since 1H 2021. Some of the peaks coincide with geopolitical and religion-adjacent events. TCP-based attacks (TCP SYN, ACK, RST, and SYN/ACK amplification) account for nearly 60 percent of all attacks in this sector, likely indicating that adversaries prefer to use botnets and direct-path attacks. Notably, Brazil has always had an extremely high concentration of botnet activity sourced and directed at entities within Brazil, something of an internal ecosystem of botnets.
Note: Industry data and attack counts are based on a sampling of our data and aligned to the North American Industry Code database, which often includes limited labeling in other regions.