Last September news broke out of a massive data breach against the Ministry of National Defense (SEDENA), with a total of 6 TB of information compromised which was sent to selected news outlet. This understandingly sent ripples through the country and cybersecurity industry, as this is considered as the largest incident of its kind in Mexico’s history. At the root of these incidents is the environmental collective, Guacamaya, which has been responsible for some of the biggest attacks in the region in the last years, and more recently they have managed to compromised not only SEDENA in Mexico but also the Policia Nacional Civil in El Salvador, the Comando General de las Fuerzas Militares in Colombia, The Fuerza Armanda in El Salvador and the Ejercito of Peru.
What happened?
On September 28th, the Mexican journalist Carlos Lauret de Mola disclosed that the Ministry of National Defense (SEDENA) was compromised by a group of hackers named “Guacamaya” with a total of 6 terabytes exfiltrated.
Within the data exfiltrated, around 20 million documents including emails, reports, letters and presentations spanning from 2016 through 2022. Documents exfiltrated included priority and objectives of the armed forces, the state of the president’s health, reports related to drug traffic among others. Based on the fact that the group leaked said information to journalists and investigators, the purpose of the leaks seems aimed of exposing the federal government issues and corruption practices; however, it also sheds light on the state of cybersecurity within the country.
The Attack
The attack was carried out against a Zimbra server, a collaborative software used for private business email among other things, the attackers identified a vulnerability in the server that allowed an authenticated user with administrator rights the ability to upload arbitrary files to the system leading to directory traversal [1]. This allowed the attackers to upload a web shell and from there use it to download all the emails from the path /opt/zimbra/store, which Zimbra uses to store all email messages. The attackers also mentioned that they were not the first ones to make use of this vulnerability and that by the time they breach the servers, many web shells were already installed and stealing information dating all the way back to the 5th of July 2022.
The Data Breach
Among the biggest discoveries from the leak is how the government spies on journalists and human rights defenders using the Pegasus spyware [2], the surveillance carried out by the agency on neighboring countries [3], how the agency kept an eye on the singer Mon Laferte [4]; the documents also show how the government is more concerned about the opposition parties than it is of the narco [5], and how the agency is using TikTok to spread propaganda [6].
The leaks were only sent to a few news outlets which later broke the news of the breach and the reason as to why the documents were not made public, which as explained by the group, was to prevent the information to fall into the hands of organized crime groups and to avoid any possible misuse of the documents.
As for the government’s response to the leaks, the president denied at first that the breach took place and later mentioned on live tv that the leak was a failed attack by the opposition to weaken the government. [8]
Guacamaya Group
Little is known about the hacktivist group, what is known is that they have targeted numerous government agencies and big companies around Latin America, as well as being responsible for hacking the Colombian oil company New Granada Energy Corporation, the Brazilian mining company Tejucana, the mining company Compania Guatemalteca de Niquel, and they have also carried out a number of cyberattacks aimed at the armed forces of various Latin American countries among them the General Staff of the National Defense of Chile and the SEDENA.
Apart from the SEDENA case all other attacks used a proxy shell to penetrate the servers and steal the data.
The group has stated that they want to expose companies and governments with the goal of letting everyone know how they operate and how they profit with little to no regard for who gets hurt in the way. They also mentioned in a manifesto [9] how they believe nations like the USA and western corporations have taken advantage of natural resources in Latin America they also mentioned how they are fighting against these practices.
The hackers have also published online videos detailing some of the hackings they have carried out.
Conclusion
It’s not every day that a group of hackers managed to breach and release confidential information of a government agency, overall this incident shed light into not only the corruption within the government entities but also on the state of cybersecurity as a whole and the importance placed on the protection of confidential information.
Overall, the morality behind the actions of the group is questionable and something that will be sure to spark a number of heated debates, what is certain is that these attacks are likely to become more frequent. We hope that governments and companies alike are prepared and start to give cybersecurity the importance it requires.
Author
Jacobo Arzaga
Junior Security Engineer
[4] https://remezcla.com/music/the-guacamaya-leaks-allege-the-mexican-army-kept-an-eye-on-mon-laferte/