Cyber Incident Victim: Fuerza Armada de El Salvador
Date:
Aug 2022
Location:
El Salvador
Summary
A cyberattack by the environmental collective Guacamaya compromised multiple Central and South American militaries, including El Salvador's Fuerza Armada, through exploitation of Microsoft ProxyShell vulnerabilities. The hackers leaked terabytes of sensitive documents revealing internal communications, surveillance operations, health details of officials, and environmental concerns related to infrastructure projects. Guacamaya claimed motivations centered on exposing governmental corruption, military repression, and ecological damage while selectively withholding data that could endanger individuals. The incident prompted high-level governmental responses across affected nations and criticism from the group regarding media focus on personal scandals over systemic issues.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early September 2022, Mexican President Andrés Manuel López Obrador publicly confirmed a large-scale cyberattack by the environmental hacking collective Guacamaya targeting military institutions across Central and South America, including El Salvador’s Fuerza Armada. The breach occurred approximately two weeks prior to López Obrador’s September 30 press conference, aligning with reports of data leaks first appearing in mid-August 2022. Guacamaya infiltrated systems belonging to the Fuerza Armada de El Salvador, Mexico’s Secretaría de la Defensa Nacional (Sedena), Peru’s Ejercito, Colombia’s Comando General de las Fuerzas Militares, and other agencies using ProxyShell vulnerabilities—a set of Microsoft Exchange Server exploits widely abused in 2021. The attackers exfiltrated at least six terabytes of sensitive data from Sedena alone, including internal emails, surveillance records targeting U.S. Ambassador Ken Salazar, operational details on narco-criminal activities, and health information about López Obrador. While the Salvadoran military did not publicly comment, López Obrador stated the group had previously executed similar breaches in Guatemala, Colombia, Chile, and El Salvador.
The leaked documents revealed extensive military influence over López Obrador’s administration, inter-service rivalries, and the president’s medical history, which dominated initial media coverage. Guacamaya condemned this focus, urging journalists to prioritize revelations about environmental damage and corruption linked to projects like Mexico’s Tren Maya railway. The collective claimed to withhold files potentially endangering individuals if obtained by narcotraffickers but shared data with verified journalists. Chile’s Defense Minister Maya Fernández cut short a U.N. trip to address the breach domestically, reflecting regional operational disruptions. Guacamaya justified its actions as resistance against state repression and ecological harm, releasing manifestos calling for indigenous communities across “Abya Yala” to analyze the leaks and challenge military dominance. The incident followed Guacamaya’s March 2022 leak of 4 terabytes from a Swiss mining firm in Guatemala and August 2022 breaches of Colombian mining companies and environmental agencies, establishing a pattern of targeting entities tied to resource extraction and military operations. No remediation efforts by El Salvador’s government were documented in available sources.