Cyber Incident Victim: Comando General de las Fuerzas Militares
Date:
Aug 2022
Location:
Colombia
Summary
The environmental hacker collective Guacamaya breached multiple Central and South American military entities, including Colombia's Comando General de las Fuerzas Militares, exploiting Microsoft vulnerabilities to exfiltrate sensitive documents and emails. Leaked data encompassed internal communications, surveillance operations, narco-criminal intelligence, leadership disputes, and health details of high-ranking officials, while the group selectively withheld information posing risks to individuals. Guacamaya justified the attacks as exposing governmental corruption, environmental degradation from projects like Tren Maya, and military repression of indigenous communities, distributing the materials to journalists to spur public scrutiny of state institutions.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early September 2022, the environmental hacktivist group Guacamaya publicly leaked sensitive military documents and emails stolen from multiple Central and South American defense organizations, including Colombia’s Comando General de las Fuerzas Militares. The breach occurred approximately two weeks prior to Mexican President Andrés Manuel López Obrador’s September 30 press conference confirming the attacks, which also targeted Mexico’s Secretaría de la Defensa Nacional (Sedena), El Salvador’s Policía Nacional Civil and Fuerza Armada, Peru’s Ejercito, and Chilean defense systems. Guacamaya exploited ProxyShell vulnerabilities—a set of Microsoft Exchange Server flaws widely weaponized in 2021—to infiltrate these military networks. The group exfiltrated approximately six terabytes of data from Sedena alone, containing operational details such as surveillance records on U.S. Ambassador to Mexico Ken Salazar, transcripts related to narcotics operations, internal military communications, and health records of President López Obrador. The Mexican president acknowledged the breach’s authenticity during his press briefing, speculating the attacks originated abroad due to their multinational scope across Colombia, Chile, Guatemala, and El Salvador. None of the affected military agencies issued official statements, though Chilean Defense Minister Maya Fernández abruptly returned from U.N. meetings to address the incident domestically.
The leaked data triggered immediate media scrutiny, particularly regarding López Obrador’s undisclosed health conditions and interservice rivalries within Mexico’s military hierarchy. Guacamaya condemned this coverage as sensationalist, arguing journalists neglected more consequential revelations about environmental degradation and corruption tied to projects like the Tren Maya railway. The group affirmed their selective disclosure approach, withholding files that could endanger individuals if obtained by cartels while sharing data with verified journalists regardless of political alignment. Their stated motive centered on exposing state repression, military environmental crimes, and impacts on Indigenous communities across “Abya Yala” (the Americas). This incident followed Guacamaya’s August 2022 leaks from Colombia’s Prosecutor’s Office, five mining firms, and environmental agencies, plus a March 2022 breach of a Swiss mining company in Guatemala. The collective framed these actions as anti-imperialist resistance, urging public analysis of leaked documents to challenge state power structures. Operational disruptions included internal investigations within compromised militaries and diplomatic adjustments, though no formal remediation steps or attribution findings were disclosed by authorities.