Cyber Incident Victim: Ejército de Chile
Date:
May 2023
Location:
Chile
Summary
The Chilean Army experienced a cybersecurity incident affecting its institutional data transmission network. The event was detected by its security systems, prompting the immediate isolation of the network and the launch of audits and recovery efforts. The institutional cybersecurity bodies and the Joint Chiefs of Staff's CSIRT team were notified, followed by the National Defense Ministry. Critical information systems were reported as unaffected at the time, though the full scope of the incident was still being evaluated.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 27, 2023, the institutional data transmission network of the Chilean Army was affected by a computer incident. The event was initially detected by the cybersecurity systems that were in place. Upon detection of the threat, the established protocols were followed. This involved isolating the affected network to prevent the potential spread of the incident and to contain the compromise. Concurrently, the corresponding audit processes were initiated by the institutional cybersecurity bodies to assess the nature and scope of the breach. Recovery efforts began immediately with the objective of restoring normal operations. A critical part of the response included the certification process to ensure the network could be restarted in a secure manner, guaranteeing its integrity before a full return to service.
The incident response procedure included the formal notification of relevant authorities. The antecedents of the event were delivered to the Computer Security Incident Response Team (CSIRT) of the Joint Chiefs of Staff. This reporting action was a step taken in accordance with standard operating procedures for escalating significant cybersecurity events within the national defense structure. Following this, the information was also provided to the Ministry of National Defense, ensuring that the highest levels of the national defense apparatus were informed of the situation and its developments. This chain of reporting demonstrates the structured protocol for incident handling within the institution.
An initial assessment of the impact indicated that critical information systems were not affected by the incident as of the time of the declaration. This suggests that the attack may have been contained to the data transmission network and did not immediately compromise more vital operational or command and control infrastructure. Despite this preliminary finding, a comprehensive evaluation of the event's potential reach was ongoing. The Army's statement explicitly noted that the eventual scope of the incident continued to be evaluated, indicating that the full impact was not yet fully determined and that the investigation was active.
The technical response focused on containment and eradication within the isolated network segment. The isolation of the network was a primary containment action, effectively creating a boundary between the compromised systems and the rest of the institutional infrastructure. The audit functions undertaken by the cybersecurity teams were aimed at identifying the attack vectors, the extent of the infiltration, and any potential data exfiltration or manipulation. The recovery work involved cleansing affected systems, applying necessary patches, and restoring data from secure backups to return to a known good state. The certification process for the secure restart of the network was a methodical effort to verify that all vulnerabilities exploited in the attack were mitigated and that no persistent threats remained before reconnecting the systems to the wider network.
The incident did not result in a complete operational shutdown of the Army's digital infrastructure, as the critical systems were reported as unaffected. The primary consequence was the disruption of the institutional data transmission network, which would have impacted the flow of information and communications within the organization. The need to isolate and audit the network likely caused significant operational delays and required the diversion of resources to manage the crisis. The ongoing investigation into the eventual scope of the incident indicates that the full consequences, including whether any sensitive data was accessed or stolen, were not immediately known and would be subject to the findings of the continued audit and analysis.
The public disclosure of the incident through an official statement served to acknowledge the event in a transparent manner. The statement provided a factual account of the detection and the immediate response steps taken, while carefully noting that critical systems remained operational. This communication was likely intended to manage public and governmental concern regarding the security of national defense information systems. The response highlights a structured and protocol-driven approach to cybersecurity incident management, involving internal cybersecurity teams, cross-institutional CSIRT coordination, and upward reporting to civilian oversight at the Ministry of National Defense. The entirety of the response was focused on understanding the breach, securing the environment, and restoring services without speculation on the threat actor's identity or motives, focusing solely on the technical and procedural aspects of the incident handling process.