Mexican president confirms ‘Guacamaya’ hack targeting regional militaries

Mexican president Andrés Manuel López Obrador confirmed a widely reported cyberattack on Friday that leaked sensitive documents and emails from several militaries across Central and South America.

About two weeks ago, hackers with the environmental collective Guacamaya released troves of documents stolen from the Secretaría de la Defensa Nacional in México, the Policía Nacional Civil in El Salvador, the Comando General de las Fuerzas Militares in Colombia, the Fuerza Armada in El Salvador and the Ejercito of Peru.

None of the agencies involved responded to requests for comment, but on Friday morning, López Obrador held a press conference where he not only confirmed the attack on Mexico’s army but said he received information about attacks on several other countries.  

“I understand that this group has already done the same thing in other countries, I think in Colombia and in Chile. That is why I think that it is something that is being directed from abroad," he said.

“Is it domestic? I doubt it. Someone informed me that they have done it in Guatemala, Colombia, Chile and El Salvador.” 

In addition to confirming the hack, López Obrador addressed some of the revelations within the leak, criticizing a notable local journalist for reporting on a range of illnesses the president faced over the last year.

“Now, what is it that they make known? What is in the public domain, 'he who owes nothing fears nothing.' Yes, they are true, I am sick, I have various ailments,” he said, speaking at length about several health incidents he’s faced this year.

When contacted by The Record, representatives of Guacamaya criticized the way news outlets in Mexico are handling what was leaked, focusing on reports of López Obrador's illness rather than larger questions of governance, corruption and environmental damage.

“Honestly we don't like it and don't approve of doing a TV program about the president's health. It's unnecessary, he's plenty healthy enough to do his job and didn't hide that he had COVID and problems before,” the group said. 

The leak of data stolen from the Secretary of National Defense – known as Sedena – includes six terabytes of files with documents on the surveillance of U.S. Ambassador to Mexico Ken Salazar, as well as transcripts and information on narco-criminal operations.

López Obrador said he was not afraid of damaging information resulting from the leaks, claiming that “everything has been said” and the government has nothing to hide.

“If we hid things, if we were promoting corruption, violating human rights, repressing the people, then yes, we would have to hide information,” he added.

For days, news outlets have breathlessly covered the stolen documents, which included thousands of emails illustrating the Mexican Army’s enormous control over López Obrador’s government, his range of health issues as well as disputes between leaders of the Army and Navy. 

Guacamaya reportedly used ProxyShell — a collection of Microsoft vulnerabilities exploited frequently in 2021 — to gain access to the military systems. 

Representatives of Guacamaya slammed news outlets for ignoring leaked documents on Tren Maya — a 1,525-kilometer intercity railway that will traverse the Yucatán Peninsula after construction is finished in 2024.

“They briefly mention that the leak contains documents on the Tren Maya, a megaproject opposed by many communities in its path, that would certainly be in the public interest to talk about,” a Guacamaya representative said. 

“But we follow ideals of Wikileaks, that information on institutions in power should be public.” 


The group added that they have not leaked all of the files they stole from Sedena because “there is information in there that in the hands of narcos could put people at risk.”

“But still we decided to share it with any that we can verify are reputable journalists, whether we agree with their politics and like their reporting or not,” they said. “And unfortunately those doing serious investigations take time, while those reporting tabloid gossip on the health of the president are fast to publish.”

The most recent set of leaks has already had wide-ranging effects. Chile’s Minister of Defense Maya Fernández flew back from meetings at the U.N. early last week in order to hold several meetings about the hacks

In August, the group leaked troves of documents stolen from the Colombian Prosecutor's Office as well as from five public and private mining companies and several environmental agencies in Colombia and Guatemala. Another 4 TB of data was leaked from a Swiss mining company operating in Guatemala in March. 

Guacamaya – the Mayan name for a macaw – has released several manifestos, arguing that their actions were due to the corruption of several Central and South American governments, as well as militaries and police forces. 


The statements focus on the environmental degradation they claim are caused by the armies and the effects of military control on indigenous populations across Central and South America.  

The messages urge the people of “Abya Yala” — a term used by Central American indigenous tribes to describe the American continent — to sort through the stolen documents to find more information. 

“We filter military and police systems from Mexico, Peru, Salvador, Chile, Colombia and deliver this to those who legitimately do what they can with this information,” the group wrote. 

“Guacamaya invites the peoples of Abya Yala to hack and filter these systems of repression, domination and enslavement that dominate us, and that it be the peoples who decide to find a way to free us from state terrorism.”

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.