Argentina’s State-Owned Military Industries Corporation Under Attack

The Military Industries State Corporation (Fabricaciones Militares Sociedad del Estado), Argentina’s state-owned arms manufacturing conglomerate, has confirmed a disruptive cyberattack attributed to the MONTI ransomware group.

The incident, marks one of the most severe breaches of South America’s defense-industrial infrastructure, raising alarms about vulnerabilities in critical national security networks.

MONTI Ransomware’s Adaptive Encryption Schema

According to the post from FalconFeeds.io, the attackers deployed a Linux-variant MONTI ransomware optimized for VMware ESXi virtualization platforms, a common infrastructure component in industrial systems.

Forensic analysis reveals MONTI employed AES-256-CTR encryption with a hybrid key management system, where cryptographic keys are split between local encryption and attacker-controlled servers.

Files between 1.048 MB and 4.19 MB had an initial 100,000 bytes encrypted, while smaller files underwent full-disk encryption—a tactic designed to maximize disruption while conserving operational resources.

Encrypted files now carry the “.MONTI” extension, with embedded 256-byte attacker-specific keys appended to each file.

The ransomware’s codebase overlaps significantly with the notorious Conti group’s leaked source code, including identical ransom note templates and dual TOR-based leak/negotiation sites.

Security researchers noted MONTI’s operators likely exploited unpatched vulnerabilities in FM’s legacy industrial control systems (ICS), which managed production lines for small arms like the FMK-3 submachine gun and FARA 83 assault rifle.

Operational Impact on Argentina’s Defense Ecosystem

Fabricaciones Militares, founded in 1941 to bolster Argentina’s wartime self-sufficiency, remains a linchpin of the nation’s Defense Industrial and Technological Complex (DITC).

The attack halted production at its Domingo Matheu small arms facility in Buenos Aires, delaying deliveries under the FONDEF National Defense Fund-backed contracts.

Of particular concern is the potential exfiltration of blueprints for next-generation platforms, including the TAM 2IP main battle tank upgrade and the Cicaré CH-14 Aguilucho helicopter.

Argentina’s Cybersecurity Agency (Unidad Fiscal Especializada en Ciberdelincuencia) confirmed threat actors accessed sensitive procurement documents, including NATO-interoperability assessments for the 155mm CALA 30 artillery system.

While MONTI’s data leak portal currently lists no victims, their dark web communiqué taunts FM’s management for “insufficient cooperation,” suggesting ongoing extortion negotiations.

Government Response and Mitigation Protocols

The Ministry of Defense activated Article 12 of Ministerial Resolution 1612/2022, invoking emergency procurement clauses to prioritize domestic suppliers for ICS hardening.

CITEFA (Armed Forces Scientific and Technical Research Institute) has been tasked with auditing encryption resilience across DITC nodes, leveraging Argentina’s indigenous Lipán M3 UAV fleet for air-gapped data backups.

President Santiago Cafiero’s administration faces scrutiny over FM’s outdated IT infrastructure, despite 2023 allocations of $47 million under the FONDEF modernization initiative.

Crisis responders from Digital Recovery, a firm specializing in ransomware decryption, are utilizing proprietary RAID-6 parity reconstruction tools to recover partial datasets, though critical artillery schematics remain encrypted.

Strategic Implications and Threat Landscape

MONTI’s targeting of Fabricaciones Militares aligns with a 2024 INTERPOL alert warning of ransomware gangs pivoting to defense contractors in geopolitically neutral states.

The attack’s technical sophistication—including VMware kernel module exploits—suggests state-sponsored or hybrid actor involvement, though attribution remains inconclusive.

Argentina’s reliance on legacy Windows Server 2012 R2 instances at FM, despite CITEFA-developed alternatives, highlights systemic cyber hygiene gaps.

The Defense Ministry now mandates FIPS 140-3 compliant encryption for all R&D data and has accelerated the Cóndor Project for a sovereign defense cloud.

Recommendations for Defense Industrial Base (DIB) Entities

1. Air-gapped backups: Deploy offline storage for ICS firmware and CAD/CAM files, as MONTI’s lateral movement tactics target network-attached storage (NAS).
2. Zero-trust architecture: Implement hardware security modules (HSMs) for cryptographic operations, limiting MONTI’s ability to hijack encryption processes.
3. Threat intelligence sharing: Integrate with OAS-ISAC’s Latin American Defense Industrial Base consortium for real-time IoC alerts on ransomware TTPs.

This breach underscores the convergence of cybercrime and national security threats in an era of asymmetrical warfare.

As Fabricaciones Militares races to restore operations, the incident will likely accelerate Argentina’s push for a sovereign cybersecurity framework under the DITC’s newly proposed Cyber Defense Innovation Hub.

Also Read:

Vo1d Botnet Hacks 1.6 Million Android TVs Worldwide

See more