Cyber Incident Victim: Secretaría de la Defensa Nacional
Date:
Aug 2022
Location:
Mexico
Summary
A cyberattack by the environmental collective Guacamaya compromised Mexico's Secretaría de la Defensa Nacional, exfiltrating sensitive military documents and emails alongside data from other regional militaries. The breach revealed extensive government surveillance operations, internal military disputes, details about the president's health, and environmental concerns related to infrastructure projects like the Tren Maya railway. Guacamaya exploited Microsoft vulnerabilities to access systems, criticizing media outlets for prioritizing personal health disclosures over governance issues while selectively withholding data that could endanger individuals if obtained by criminal groups. The leak underscored military influence over civilian governance and prompted responses from multiple affected nations, with the hackers framing their actions as exposing state corruption and environmental degradation across Central and South America.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early September 2022, Mexican President Andrés Manuel López Obrador confirmed a large-scale cyberattack by the environmental collective Guacamaya targeting military institutions across Central and South America, including Mexico’s Secretaría de la Defensa Nacional (SEDENA). The attack, which occurred approximately two weeks prior to his September 30 announcement, involved the theft and public release of six terabytes of sensitive documents and emails from SEDENA, El Salvador’s Policía Nacional Civil and Fuerza Armada, Colombia’s Comando General de las Fuerzas Militares, and Peru’s Ejercito. Guacamaya exploited ProxyShell vulnerabilities—a set of Microsoft Exchange flaws widely abused in 2021—to infiltrate these military systems. The leaked SEDENA data included detailed records on surveillance operations targeting U.S. Ambassador Ken Salazar, transcripts related to narco-criminal activities, internal communications revealing the Mexican Army’s extensive influence over López Obrador’s administration, documentation of the president’s health conditions, and disputes between military leadership. Guacamaya also exfiltrated files concerning Tren Maya, a contested railway megaproject in the Yucatán Peninsula. The group stated it withheld portions of the stolen data that could endanger individuals if obtained by narcotraffickers but shared materials with verified journalists to expose governance failures.
The breach triggered immediate regional repercussions, with Chile’s Defense Minister Maya Fernández returning early from U.N. meetings to address the incident. Media coverage initially focused on López Obrador’s disclosed health issues, prompting the president to publicly acknowledge his medical conditions while dismissing concerns about damaging revelations, asserting his administration had "nothing to hide." Guacamaya criticized this media emphasis as tabloid sensationalism, arguing outlets neglected substantive leaks about environmental damage, indigenous rights violations, and military corruption. The collective framed their actions as part of a broader campaign against state repression, having previously leaked four terabytes of data from Colombia’s Prosecutor’s Office, mining firms, and environmental agencies in March and August 2022. They released manifestos urging indigenous communities across "Abya Yala" to analyze the documents and resist military domination. Despite López Obrador’s claims of foreign orchestration, no evidence of attribution was provided. Affected military institutions did not publicly comment on containment measures or operational disruptions. Guacamaya maintained their objective was to democratize access to power structures’ secrets, aligning with WikiLeaks’ principles, while selectively limiting disclosures to mitigate collateral harm.