TAG-144 APT Group Maintains Persistent Cyber Espionage Campaign Against South American Organizations

Sustained Regional Espionage Campaign

Recorded Future intelligence analysis has identified TAG-144, an advanced persistent threat group, conducting sustained cyber espionage operations against organizations across South America. The group has maintained persistent access to target networks through sophisticated infrastructure utilizing Colombian internet service providers and VPN services to mask their operations.

Infrastructure Analysis and Attribution

Technical analysis reveals that TAG-144 operations utilize a combination of TorGuard VPN servers and IP addresses associated with Colombian ISPs, including Colombia's primary telecommunications provider. This infrastructure configuration suggests either regional operational presence or deliberate geographic targeting of South American networks and organizations.

The group's persistent grip on target organizations indicates advanced operational security and sophisticated persistence mechanisms designed to maintain long-term access for intelligence collection purposes. The multi-year nature of these operations suggests state-sponsored or state-directed activities rather than criminal financial motivations.

Target Selection and Intelligence Objectives

Analysis of TAG-144 targeting patterns reveals focus on organizations with potential intelligence value related to regional political, economic, and security matters. The sustained nature of these operations suggests systematic intelligence collection requirements rather than opportunistic cyber criminal activity.

The group's operational patterns indicate sophisticated understanding of South American organizational structures and communication patterns, suggesting either regional expertise or extensive preliminary reconnaissance activities to support targeting decisions.

Operational Security and Evasion Techniques

TAG-144 demonstrates advanced operational security through the use of legitimate VPN services and regional ISP infrastructure to blend malicious traffic with normal internet activity. This approach significantly complicates attribution and detection efforts by target organizations and regional cybersecurity agencies.

The group's ability to maintain persistent access across multiple organizations suggests sophisticated techniques for avoiding detection by standard security monitoring systems and incident response procedures commonly deployed by targeted organizations.