Cyber Incident Victim: Quetzal Container Terminal
Date:
Oct 2022
Location:
Guatemala
Summary
A ransomware attack attributed to the Hive group targeted Guatemala's Customs Service via systems operated by APM Terminals, resulting in the exfiltration of approximately 5GB of Oracle database information. Despite the compromise, the affected terminal maintained operational continuity without disruption to services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On October 18, 2022, Guatemala’s Customs Service experienced a ransomware attack targeting systems operated by APM Terminals at the Quetzal Container Terminal. The Hive ransomware group executed the attack, exfiltrating approximately 5GB of Oracle database files containing operational and administrative data. The breach occurred without immediate disruption to terminal operations, as critical systems supporting cargo handling and customs processing remained functional. Attackers gained unauthorized access to internal networks, though the specific entry vector was not disclosed in public reports. The incident was detected through internal monitoring mechanisms, prompting an investigation by APM Terminals’ cybersecurity team. No ransomware payload was deployed to encrypt systems, distinguishing this incident from typical Hive ransomware operations that prioritize data encryption over exfiltration. The attackers focused on extracting structured data from Oracle systems, which manage logistics, container tracking, and customs documentation. Guatemala’s Customs Service confirmed the compromise but emphasized that no core transactional or financial systems were breached. APM Terminals maintained cargo operations throughout the incident, avoiding port congestion or supply chain delays.
The compromised Oracle data included administrative records related to terminal operations, though authorities did not specify whether customer information or shipment details were affected. APM Terminals collaborated with Guatemala’s National Cybersecurity Office to contain the breach and assess data exposure. Forensic analysis confirmed the attackers’ access was limited to non-critical databases, with no evidence of lateral movement into supervisory control or industrial systems. Customs authorities temporarily enhanced network segmentation and monitoring protocols but did not implement full system shutdowns. The Hive group claimed responsibility for the attack in subsequent dark web posts, though no ransom demand or data leak was publicly verified. Guatemala’s government reported the incident to INTERPOL’s Cybercrime Directorate while continuing routine customs operations without penalties or procedural suspensions. The terminal’s uninterrupted functionality during the attack indicated robust contingency planning for cyber-physical system isolation. No long-term operational or financial impacts were reported by APM Terminals or Guatemalan authorities following containment.