Guacamaya, an environmental hacker group, is likely to target further state institutions and extractive companies that operate in Latin America in 2023.
This assessment was issued to clients of Dragonfly’s Security Intelligence & Analysis Service (SIAS) on 19 October 2022.
In recent months, it has hacked and leaked data from military and law enforcement agencies in several countries in the region, as well as oil and mining companies. These leaks have been extensive and have exposed potentially-illegal practices by their targets, which has attracted significant media coverage.
Based on the group’s activity so far and its focus on environmental issues and indigenous peoples’ rights, we assess that it will remain intent on stealing and leaking data of oil and mining firms in particular. The extent of the recent hacks suggests that Guacamaya is highly capable. But based on its targeting and its stated objectives, it is unlikely to launch any such campaign outside of Latin America for now.
Ideologically motivated hack-and-leak
Guacamaya has been highly successful and effective in its hack-and-leak operations over the past few months. It has targeted government and military agencies in the region, including in El Salvador, Chile, Colombia, Mexico and Peru. Many of the leaks are notable because they have gained significant media coverage and, in the case of Chile, prompted the head of the Armed Forces Joint Chiefs of Staff to resign. The Mexican president in late September confirmed the recent hacks targeting governments in the region.
- The group leaked highly-sensitive classified military documents belonging to Peru, including the country’s military plans in the event of a border conflict with Chile, as well as intelligence on Chile’s military capabilities. This was reported in Peruvian media outlets.
- A widespread data leak in Mexico allegedly exposed police and local authorities’ ties to drug cartels, government spying on journalists, activists and other prominent civilians, as well as the president’s medical and other sensitive personal data.
In Colombia, leaked emails from the attorney general’s office suggested possible links between law enforcement, drug cartels and paramilitary gangs. These leaks also allegedly exposed the activities and identities of Australian police secret agents combatting Colombian drug trafficking.
Guacamaya is mainly driven by environmental and indigenous justice issues and does not appear to be financially motivated. In its public statements this year, it has expressed its commitment to fighting against the ‘destruction’ of nature and the repression of indigenous peoples, as well as against capitalism and US ‘imperialism’ in the region. The group has also stated its aims to expose corruption by state authorities and extractive firms; it explicitly referred to the ‘neo-colonialism of extractivist companies’ in its recent statements, and proposed ‘the leaking and sabotage’ of their ‘systems’.
A commercial threat
Guacamaya is also likely to prioritise targeting extractive firms in Latin America for data leak operations into 2023. This is particularly if companies have been implicated in corruption and environmental scandals. Guacamaya perceives such firms, particularly in the oil and mining sectors, as harmful to the environment and indigenous populations. It leaked data of public and private oil and mining firms that operate in Brazil, Chile, Colombia, Ecuador and Venezuela in August, and of a Guatemala-based ferronickel production firm in March. Some of the group’s targets are subsidiaries of multinational extractive firms.
On current indications, Guacamaya is unlikely to expand its targeting outside the region or launch a campaign of data leaks on non-extractive firms. Its reported leaks this year have almost exclusively targeted Latin American state institutions, or oil and mining firms operating in the region. However, there is a reasonable chance such hackers will try to target other multinational firms with investments, subsidiaries or other affiliated entities in the region that they perceive as facilitating corruption, environmental degradation or displacement of indigenous persons.
An attractive region for hackers
Latin America will probably remain a focus for a range of cyber threat actors, including environmental hackers and cyber extortion groups in 2023. The extent of recent hacks is indicative of this. The majority of these attacks by Guacamaya, commonly known as ProxyShell, exploited various vulnerabilities in Microsoft email servers, according to experts and media reports.
In comparison with most countries in Europe and North America, cybersecurity standards, prevention and response in Latin American countries are relatively poor. These countries generally rank poorly on Estonia’s National Cyber Security Index, which measures the preparedness of countries to ‘prevent cyber threats and manage cyber incidents’. This issue affects state and commercial entities in the region. And in a high-profile incident this year, the prolific ransomware group Conti paralysed several state institutions in Costa Rica in an attack campaign that began in April.
Image: A picture posted alongside Guacamaya’s statement after its data leaks; Guacamaya video leak site.
Guacamaya, an environmental hacker group, is likely to target further state institutions and extractive companies that operate in Latin America in 2023.