Cyber Incident Victim: Ejército del Perú
Date:
Aug 2022
Location:
Peru
Summary
A hacking group known as Guacamaya breached multiple military and police institutions across Central and South America, including Peru's army, exploiting Microsoft vulnerabilities to steal sensitive data. The attackers leaked terabytes of internal documents and emails exposing operational details, surveillance activities, and institutional corruption, while criticizing media focus on political figures' health over environmental and governance issues. Guacamaya claimed ideological motivations aligned with transparency principles, selectively releasing information to avoid endangering individuals but sharing data with journalists to highlight alleged military complicity in environmental degradation and repression of indigenous communities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In mid-to-late August 2022, the hacktivist group Guacamaya infiltrated the military network of Peru’s Ejército (Army) as part of a coordinated campaign targeting defense institutions across Latin America. The group exploited ProxyShell vulnerabilities—a set of unpatched Microsoft Exchange flaws frequently weaponized since 2021—to gain unauthorized access to internal systems. This breach resulted in the exfiltration of sensitive military data, though the exact volume of Peru-specific data was not quantified in public reports. The attack formed part of a broader regional operation that simultaneously compromised the Secretaría de la Defensa Nacional (Mexico), Policía Nacional Civil (El Salvador), Comando General de las Fuerzas Militares (Colombia), and Fuerza Armada (El Salvador). Guacamaya leaked portions of the stolen data publicly in early September 2022, though they withheld some files deemed potentially dangerous if obtained by criminal groups. The Peruvian military did not publicly acknowledge the breach or provide technical details about the intrusion methodology, data scope, or initial detection timeline.
The leaked Peruvian military data was disseminated alongside troves of documents from other targeted nations, collectively exposing internal communications, operational records, and institutional emails. While the precise content of Peru’s leaked documents was not detailed in available reporting, parallel breaches in Mexico revealed surveillance operations, leadership disputes, and health records of officials, suggesting comparable sensitivities for Peru. Guacamaya justified the attacks as retaliation against state corruption, environmental degradation, and military oppression of Indigenous communities, urging public scrutiny of the leaked materials. No operational disruptions or defensive measures taken by Peru’s Ejército were documented. Regionally, the incident prompted Chile’s Defense Minister to cut short a UN trip to address the fallout, though Peru’s government exhibited no visible crisis response. The collective impact across affected nations highlighted systemic vulnerabilities in military IT infrastructure and amplified scrutiny of defense institutions’ transparency. Guacamaya’s campaign marked an escalation in hacktivist targeting of Latin American military entities, with stolen data repurposed to fuel political and environmental activism.