Guacamaya leaks spark debate about militarization, spyware, but no accountability
In September, journalists in Mexico started receiving terabytes of hacked data stolen from the country's Ministry of National Defense.
The leak, which is now considered the largest of its kind in Mexico's history, included details about the president's health, as well as communication between some of the country's top military officials.
Around the same time, similar troves were being leaked from police and military organizations throughout Latin America, including El Salvador’s National Police and Armed Forces, the General Command of the Armed Forces in Colombia, the Peruvian Army and Chile’s General Staff of National Defense.
The documents exposed widespread corruption, deep ties between military leaders and drug cartels as well as spyware used to monitor journalists and human rights defenders.
Behind it all was the environmental collective Guacamaya, which gave the documents to human rights organizations and journalists, who have published hundreds of stories about the contents – kicking off a region-wide debate over the militarization of civilian governments and the paradox of militaries both benefiting and, ultimately, suffering from massive cybersecurity lapses.
But what, three months after their release, has the impact of the leaks actually been? On this, cybersecurity experts across Latin America are mixed.
The ramifications have been specific to the country, and to how each nation’s press has handled the documents.
In Chile, Minister of Defense Maya Fernández flew back from discussions at the U.N. early in September to hold several meetings about the hacks, and eventually the general in charge of the joint chiefs of staff, General Guillermo Paiva, was forced to step down due to internal outrage at the leaks.
Mexican president Andrés Manuel López Obrador, meanwhile, is the only leader to publicly address the leaked documents – partially because they revealed that he had been dealing with health issues since taking office in 2018.
Veridiana Alimonti, associate director for Latin American policy at rights group Electronic Frontier Foundation, said some officials in Peru and Chile directly confirmed the hacks but Colombia and El Salvador have not addressed the incident. Peruvian officials have even threatened journalists with treason if they continue covering what was leaked.
El Ejército peruano no solo criminaliza a políticos.— La Encerrona (@laencerronaperu) October 6, 2022
El documento de inteligencia también califica como amenaza a organizaciones civiles que trabajan en el corredor minero del sur, porque se "infiltran" y asesoran a la población en contra de la minería. pic.twitter.com/X5hAJfoJbZ
None of the governments involved responded to repeated requests for comment.
Several experts noted that the official silence on much of what was leaked was typical of governments across Latin America but highlighted precisely why the hacks were so important. CyberPeace Institute CEO Stéphane Duguin explained that the hacks shed light on a range of illegal activities that otherwise would not have been known.
“And the leaks covered a range of issues – from sexual harrassment to collusion between governments and criminal groups as well as spyware use against journalists,” he said.
Dilmar Villena, executive director of rights group Hiper Derecho, told The Record that the leaks did not shock the region uniformly, with each country perceiving them differently.
“It is worth highlighting what happened in Chile and Mexico due to the political repercussions they had. However, it cannot be said that Latin American public opinion has unanimously paid attention to Guacamaya hacks,” he said.
“The response that the governments gave has to do with the level of attention that public opinion has given to it. In some cases there were changes of ministers and high command of the army; however, in other countries, such as the Peruvian case, there was no great response or institutional changes about it.”
Much of it comes down to the importance each country’s national press gave the leaks, Villena explained, noting that if the local press did not take an interest in the leaks, it did not end up stirring public debate.
In Peru’s case, Villena said there was a brief pronouncement issued by the Ministry of Defense about the leak being investigated but he did not have much hope that impactful action will be taken or that the scandals would “bring discussions on cybersecurity issues to the table.”
The documents revealed that Peru’s army was monitoring several human rights groups, including Amnesty International, IDL, Derechos Humanos sin Fronteras and CooperAcción.
Los #GuacamayaLeaks revelan un reporte de inteligencia elaborado a inicios de este año por el Comando Operacional del Sur del Ejército.— La Encerrona (@laencerronaperu) October 6, 2022
El informe hace una evaluación de diferentes amenazas en regiones del sur y fue enviado a varios comandantes del Ejército, en abril. pic.twitter.com/f2b2tdBx32
“If the military in countries like Mexico and Peru have been unduly monitoring our work, undermining the defense of victims of human rights violations, we are even more concerned about the attacks that our partner organizations and human rights defenders through the region could face,” said Erika Guevara-Rosas, Americas director at Amnesty International.
The largest tranche of documents – six terabytes in total – came from servers run by Mexico’s army and there has been a slow trickle of news from the leaked documents.
The stolen emails and files reveal the army’s growing control of the country’s institutions as well as plans for the military’s involvement in several economic and infrastructure projects across the country – something Guacamaya told The Record it was intent on revealing.
Representatives of Guacamaya initially slammed news outlets for focusing on Mexican army emails about the president’s health and ignoring leaked documents on Tren Maya — a 1,525-kilometer intercity railway that will traverse the Yucatán Peninsula after construction is finished in 2024.
The leaks concerning Mexico revealed that the army also has plans for other infrastructure projects in the region and has interest in creating its own airline.
“We decided to share [the stolen documents] with any that we can verify are reputable journalists, whether we agree with their politics and like their reporting or not,” the group told The Record.
“And unfortunately those doing serious investigations take time, while those reporting tabloid gossip on the health of the president are fast to publish.”
Leopoldo Maldonado, regional director for international human rights organization Article 19, said his organization is one of those combing through the documents and noted that they found many intelligence reports linking high-level politicians in several countries to drug cartels and acts of corruption.
Maria Paz Canales, a lawyer in Chile and executive director of the nonprofit Derechos Digitales, said the revelations from the Guacamaya leaks have also given momentum to discussions about the cybersecurity shortcomings of Latin American institutions, and their militaries.
“They relied a lot on the fact that because they are powerful institutions inside their own countries, that they are in some way beyond the actions of other groups that can access to their systems and information,” she said. “At the same time, there is a huge deficit in terms of the knowledge and sophistication that they have for protecting their own systems.”
Dozens of government agencies across Latin America have faced ransomware attacks and cybersecurity incidents throughout 2022, highlighting the need for institutions to better protect citizen data.
While the Conti ransomware group garnered the biggest headlines for their crippling attack on the entire government of Costa Rica, several other groups have targeted legislatures, government agencies, regulators and businesses across the region.
Canales explained she was recently invited to a hearing held by Mexico’s Senate on cybersecurity, and similar discussions are being held in Chile’s legislature about the need for some kind of cybersecurity legislation.
Part of what was alarming about the Guacamaya hack is that it was not particularly sophisticated. The group reportedly used ProxyShell — a collection of Microsoft vulnerabilities exploited frequently in 2021 — to gain access to the military systems.
“It's really embarrassing that they are failing in very basic things. In this case one person failed to fulfill the basic duty of updating software or ensuring to patch software,” Canales said.
Villena asserted that the hacks were evidence that cybersecurity is not taken seriously in the region. This was clear, according to Villena, by how small the military budgets were when it comes to cybersecurity.
Shortcomings and deficiencies in cybersecurity are “a common denominator in the countries of the region,” Villena told The Record. But he warned that little would change until there was a cyberattack that “put critical assets at risk.”
“I am not very optimistic on this point. What I think should happen is a real investigation and conversation with the people responsible for cybersecurity policies about designing public policies that comprehensively address this problem,” he said.
“This would include sanctioning the high command of the armed forces and carrying out regular inspections, at the very least. However, again, I am not very optimistic that all this will come to pass.”
Pegasus and spyware
One of the standout themes from the leaks were revelations about military use of spyware against journalists and human rights defenders.
CyberPeace Institute CEO Duguin said his organization – which provides free cybersecurity services for more than 80 human rights groups and NGOs around the world – has been focused on the spyware angle, especially on Pegasus–a brand of spyware produced by Israeli company NSO Group that has been used against world leaders and human rights defenders alike.
The Guacamaya leaks revealed that both the Mexican and El Salvadoran governments were using Pegasus to track journalists and human rights workers in 2019 and 2020.
Maldonado said his organization, Article 19, and several others had already been working with news outlets to investigate the usage of Pegasus by the Mexican army, finding that journalists looking into links between extrajudicial killings, drugs cartels, and the Mexican military, were allegedly infected with NSO Group’s spyware after being hacked through zero-click attacks.
El Ejército vigila a las feministas y las pone a la par de organizaciones subversivas. https://t.co/PFOTe2c8Lg— Isabella González (@isagvh) October 6, 2022
“In this case we already had a lot of evidence of the army's participation, a situation that was confirmed days before publication thanks to the Guacamaya leaks. It has also shown how the military intelligence catalogs social and dissident groups as subjects of interest and equates them with criminal and terrorist groups,” Maldonado said.
Pegasus was allegedly used against two journalists and one human rights defender in Mexico, according to Article 19. Vladimir Cortés Roshdestvensky, digital rights programme officer at the organization, said the leaks revealed contracts signed between the Mexican Army and NSO Group.
Electronic Frontier Foundation’s Alimonti added that the leaks raised the issue of government surveillance to the public and highlighted the lack of human rights standards around the use of spyware.
She noted that the United Nations High Commissioner for Human Rights also raised concerns about the spyware revelations in October.
Guillermo Fernández-Maldonado, a spokesperson for the United Nations High Commissioner for Human Rights’ Mexico office, said the use of spyware against non-criminal actors is a violation of human rights and undermines the confidence people have in state institutions.
“The acts of illegal surveillance have an intimidating effect and send a negative signal of government intolerance to criticism, contrary to the free and safe environment that must be guaranteed for the exercise of the right to defend human rights and freedom of the press,” Fernández-Maldonado said.
Alimonti said the revelations about military surveillance were important for efforts among civil rights organizations like hers to create human rights safeguards and standards with regard to how spyware is deployed across the region.
The tools are currently being used “abusively and arbitrarily,” she said, highlighting the need for institutional public oversight.
Both Alimonti and Duguin noted that the use of spyware and surveillance technology went hand in hand with the cybersecurity issues that led to the breach in the first place, considering many spyware companies market themselves based on their ability to intentionally exploit vulnerabilities in information systems.
Alimonti said the government was effectively working against itself, attempting to provide more device security for citizens while also hiring companies that specialize in exploiting those same devices.
“It is another paradox: you have states that are claiming left and right that the internet needs to be secure, be a safe space to trust but they're spending public money and giving it to companies that make sure that the old constructs of the internet are full of holes and vulnerabilities,” Duguin said.
In Mexico especially, the leaks have spurred conversations about the country’s growing militarization and the army’s ever larger role in civilian life.
But army officials in Mexico have sought to downplay the significance of the leaks, criticizing news outlets for publishing information, while failing to address the content of the stories.
“It's part of the strategy of the Mexican Government,” said Cortés Roshdestvensky, the digital rights programme officer at Article 19. “They’re attacking those who reveal certain information of public interest by stigmatizing their work as journalists or their work as human rights defenders.”
Maldonado, Article 19’s regional director, said some government officials in El Salvador and Mexico have claimed the hacks are part of a campaign by opposition parties against them.
While the leaks have prompted Mexico’s Congress to draft tough cybersecurity measures, he said the rules are “more like cyber-patrolling and censorship of the Internet.”
But the documents have started a larger public debate, Roshdestvensky explained. Social media in Mexico was abuzz about the leaks, and there have been several media pieces about the scandals. One news outlet has kept a running update page of revelations that came from the emails and documents leaked.
Les comparto una cronología de los #SEDENALeaks— Hiram Alejandro (@hiramcoop) October 10, 2022
Fechas de emisión de parches, fechas de los últimos cambios en los archivos que Guacamaya ha distribuido, el correo más antiguo es del 22/Enero/2010 y el más reciente el 03/Sept/202 pic.twitter.com/zCWF3itv1B
While interest in the hacks has waned in recent weeks, there were intensive discussions and debate about cybersecurity in the first weeks after the leaks.
“I believe we’re going to continue seeing those debates around access to information, around militarization in Mexico, around the cybersecurity debate and more,” he said.
“We are already seeing continued discussion about the mapping of criminal organizations in Mexico and what the government knows about the criminal organizations we have in Mexico. There is also discussion about the lists the army had about groups they believe are a ‘danger or risk’ to the country like feminist collectives and other indigenous or environmental groups opposed to large infrastructure projects in southern states.”
Maldonado hoped that the leaked information would lead to accountability processes but explained that the Mexican government has already dismissed any such measure.
There needs to be some level of accountability and transparency, Roshdestvensky explained, noting that the monitoring of opposition parties by multiple governments showed that this conduct “must be regulated by civilians.”
Guacamaya in their own words
There is no information on where the Guacamaya group – which takes its name from the Mayan word for “macaw” – is based.
But in conversations with The Record, the group communicated mostly in Spanish and spoke passionately of launching the hacking campaign to expose the environmental degradation and human rights abuses of militaries across Latin America.
They have released several manifestos, arguing that their actions were due to the corruption of Central and South American governments, and repeatedly mention the people of “Abya Yala” — a term used by Central American indigenous tribes to describe the American continent.
Guacamaya got its start releasing hacked documents from several mining and oil companies across Latin America earlier this year before turning their attention to militaries and governments. They previously accused armies in the region of “doing the dirty work of the states, companies and organized crime, such as drug trafficking.”
The group told The Record that their work is a “continuation of the struggle and resistance of the people of Abya Yala” and explained that the leaks “are a form of fighting.”
Their ultimate goal is to reveal “what we all already know in a way that is more palpable and documented” – lauding the news outlets and human rights organizations that have “fearlessly” covered the corruption and abuses revealed in the documents.
“The oppressed peoples, as well as mother earth, have a weariness in the face of how the capitalist system has devastated life, putting capital and production above all else. We want a ‘return to life,’ to the good life that only occurs in harmony with others,” a representative for the group said.
The stolen files showed “reprehensible” conduct from the militaries and police forces in the region as well as the widespread criminal repression that people face from “extractive” and “pyramidal” organizations.
The group said its hope was a future where the “global north abandons the looting and extractivism of natural resources and stops violating Mother Earth.”
“There is very little of the jungle left and when the rivers dry up, when our people are being poisoned, we can only be on the side of life, and our hope is to continue acting, resisting like our ancestors,” they said, calling their effort a “popular movement.”
Guacamaya said the response to the leaks was evidence that most governments will not “put themselves on trial” and address the issues that people have concerns about.
When asked what they hoped would come from their actions, the group said they believed “only the people save the people” and called for others to take similar action against what they allege are corrupt governments.
“We hope to continue in the task and continue to deliver leaks through those who have legitimacy and through the localities that will determine what to do with it.” The group has also published videos tutorials online explaining how to perpetrate these types of hacks, “so anyone from any corner of the motherland may be part of Guacamaya.”.
“These actions also are an invitation to use this tool – hacking – and make it functional to the legacy left by our ancestors so that as oppressed peoples we can launch rebellion and resistance against oppression.”
Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.