Blind Eagle, a new APT group, poses as Colombia’s Cyber Police to steal business secrets

The group is carrying out attacks against Colombian government agencies, financial companies and corporations with a presence in Colombia.

Cyberwar is intensifying in South America.

A new hacking group researchers have dubbed Blind Eagle is carrying out targeted attacks against Colombian government agencies, financial companies and corporations with a presence in Colombia.

Blind Eagle has been active since April 2018, posing as Colombian institutions like the National Cyber Police and the Office of the Attorney General to steal intellectual property, according to research published this week by the 360 Enterprise Security Group, which is affiliated with the Chinese security giant Qihoo 360.

Researchers from 360 did not specifically identify the suspects who might be behind the group, which is also referred to as APT-C-36. But they suggested the attacks originated in South America, based on the timing the attacks were sent and the use of the Spanish language in the malware, among other factors.


“[This] APT attack could probably be carried out by neighboring countries,” researchers said. “The background of the victims and duration of the attack indicate the attacker keeps concerned with strategic-level intelligence for a long time.”

Attackers targeted Colombia’s National Institute for the Blind, the Bank of Colombia and a number of energy companies in the country. They also forged information from U.S. companies including Chevron, Energizer, Abbott Laboratories and auto insurance provider Progressive to make themselves seem more legitimate.

The most recent attack outlined in the research occurred on Feb. 14. The phishing email appeared to come from the Colombian National Civil Registry, and was aimed at the National Institute for the Blind.

“After analyzing the mail, we found that the attacker used approaches such as proxy and VPN to hide its PD address when sending emails,” researchers stated. “So the sender’s real IP has not yet been obtained, only to figure out that these messages are sent through [internet database connectors] in Florida.”

Colombia previously was hit with a cyber-espionage campaign known as Machete, first discovered by Kaspersky Lab in 2014. That APT effort targeted numerous countries in South America and worldwide, exfiltrating 100GB of data from 300 victims, according to Cylance. The campaign still was active in 2017.


The report comes after Motherboard detailed how hackers allegedly affiliated with the Venezuelan government tried luring activists into compromising email and social media credentials.

Jeff Stone

Written by Jeff Stone

Jeff Stone is the editor-in-chief of CyberScoop, with a special interest in cybercrime, disinformation and the U.S. justice system. He previously worked as an editor at the Wall Street Journal, and covered technology policy for sites including the Christian Science Monitor and the International Business Times.

Latest Podcasts