Cyber Incident Victim: Tesorera General de la República
Date:
Jan 2023
Location:
Chile
Summary
A hacker claimed unauthorized access to Chile's General Treasury of the Republic (TGR), asserting possession of databases and server control while threatening public data release unless the organization acknowledged incompetence. The attacker provided screenshots demonstrating access to taxpayer personal information and record modification capabilities, contradicting TGR's initial denial of operational impact or compromised taxpayer data. The hacker further alleged altering debt records and rejections, though provided no evidence of such changes, while escalating threats and self-identifying as "romantic cyber mercenaries." TGR maintained services were unaffected, reported the incident to authorities, and pursued legal actions. The attacker's claims regarding data volume (600GB) and persistent access remained unverified, with no subsequent data leaks or sales observed following their final update. The incident's full scope and validity of data alteration assertions remained unresolved.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around January 30, 2023, a threat actor using a popular hacking forum claimed to have compromised Chile’s Tesorería General de la República (TGR), asserting unauthorized access to databases and servers associated with the domains tesorería.cl and tgr.cl. The actor, operating under a newly created forum account, posted a partial list of accessed tables and threatened to publicly release data unless TGR acknowledged systemic incompetence. Initial claims included possession of "all the databases" and server access, accompanied by a proof-of-concept statement promising future disclosures. TGR issued a public response the same day, acknowledging awareness of a "potential vulnerability" on an internal information server but denying impact on taxpayer data or operational continuity. The agency stated it had initiated mitigation measures, reported the incident to the CSIRT of Chile’s Ministry of the Interior, and would pursue legal actions.
The threat actor escalated their claims following TGR’s denial, updating their forum post on February 3 with screenshots demonstrating access to sensitive personal data—including names, national identification numbers (RUT), birthdates, marital status, and parental information—via TGR’s intranet. One screenshot indicated an ability to modify personal records. The actor additionally asserted they had altered financial data, specifically referencing forgiven debts and accepted rejections, though no evidence of such modifications was provided. In private communications with DataBreaches.net, the actor claimed possession of 600 GB of data, persistent access achieved via SQL injection (SQLi) and remote code execution (RCE), and no direct contact with TGR. They self-identified as "romantic cyber mercenaries" and referenced hacktivist symbolism but declined to substantiate claims of altered financial records. TGR did not publicly address the validity of the screenshots or debt alteration claims, and Chilean media did not report the incident at the time. As of ten days post-disclosure, no data leaks, access sales, or further proof had materialized.