Cyber Incident Victim: Policía Nacional Civil de El Salvador
Date:
Aug 2022
Location:
El Salvador
Summary
A cyberattack by the environmental collective Guacamaya compromised multiple Central and South American military and police entities, including El Salvador's Policía Nacional Civil, through exploitation of Microsoft vulnerabilities. The hackers exfiltrated sensitive documents and emails revealing governance issues, corruption, environmental concerns, and personal health details of officials, selectively releasing data to avoid endangering individuals while urging public scrutiny of institutional power. The group cited motives of exposing state repression and environmental harm, sharing leaks with journalists to highlight systemic abuses while criticizing media focus on sensational aspects over substantive revelations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In August 2022, the environmental hacking collective Guacamaya breached the systems of multiple Central and South American military and law enforcement agencies, including El Salvador’s Policía Nacional Civil. The group exfiltrated troves of sensitive documents and emails, publicly releasing approximately six terabytes of data stolen from Mexico’s Secretaría de la Defensa Nacional (Sedena) alongside files from Peru’s Ejercito, Colombia’s Comando General de las Fuerzas Militares, El Salvador’s Fuerza Armada, and the Policía Nacional Civil. Guacamaya exploited ProxyShell vulnerabilities—a set of Microsoft Exchange Server flaws widely leveraged by attackers in 2021—to compromise these military networks. The collective stated their actions targeted institutional corruption, environmental degradation caused by state-backed projects, and military oppression of indigenous communities. They framed the leaks as part of a broader campaign to empower the peoples of "Abya Yala" (a term for the Americas used by Indigenous groups) to challenge state repression.
The leaked data included internal communications detailing surveillance operations, such as Mexico’s monitoring of U.S. Ambassador Ken Salazar, narco-criminal activity records, and high-level government disputes. Mexican President Andrés Manuel López Obrador confirmed the breach on September 30, 2022, acknowledging attacks on El Salvador, Colombia, Chile, and Guatemala while downplaying operational impacts, asserting his administration had "nothing to hide." Media coverage initially focused on López Obrador’s health issues revealed in the leaks, drawing criticism from Guacamaya, which urged journalists to prioritize reporting on corruption and environmental concerns like the Tren Maya railway project. The collective withheld portions of the Sedena data, citing risks to individuals if obtained by criminal groups, but shared materials with verified journalists regardless of political alignment. Chile’s Defense Minister Maya Fernández interrupted a U.N. visit to address the breach’s fallout. This incident followed Guacamaya’s March 2022 leak of four terabytes from a Swiss mining firm in Guatemala and August 2022 breaches of Colombia’s Prosecutor’s Office and environmental agencies, reflecting a sustained campaign against entities tied to resource extraction and state security operations.