Guacamaya: The Real Deal or Faketivists?

Updated on 2022-10-27: Guacamaya: The Real Deal or Faketivists?

A hacktivist group calling itself Guacamaya has been very active in recent months, leaking large quantities of data from mining companies and several Latin American governments. But looking closer, Guacamaya’s actions align in a few ways with Chinese aims. So, a question we’ve been kicking around is whether Guacamaya is indeed a legitimate hacktivist group or just someone’s sock puppet. Spoiler alert: We think it’s probably the real deal but there are a few red flags.

Guacamaya has been active since at least March this year, and in its first publicly known hack it compromised a mining company operating in Guatemala and shared documents obtained in the hack with Forbidden Stories, a collaboration network for journalists, which subsequently published a “Mining Secrets” series of articles.

The group has been on a tear across Latin America ever since. It compromised more mining and oil companies but also government departments and national police and military forces. These police and military breaches include the General Command of the Military Forces of Colombia, Mexico’s Secretariat of National Defense, El Salvador’s National Civil Police, the Peruvian Army, and the Joint Chiefs of Staff of the Chilean Armed Forces.

Hiram Alejandro, CEO of Mexican cyber security firm Seekurity, has been tracking Guacamaya’s activities since June and told us that the leaks have had a big impact in Mexico. They revealed the Mexican government was spying on Mexican reporters and activist groups, including feminists. They also revealed corruption within the Mexican government, links between politicians and Mexican drug cartels, and also that the government had used Pegasus spyware, despite President Andrés Manuel López Obrador’s denials.

The leaks have even had impacts in Australia. The Sydney Morning Herald reported that a leak from the Colombian Attorney General’s office revealed the “identities and methods of secret agents working to stop international drug cartels from operating in Australia”. Per the Herald:

The leak contains details of 35 Australian Federal Police operations, some ongoing, as well as surveillance reports from undercover agents, phone taps and payroll records for Colombian law enforcement officers. Many overseas police agencies are also affected.

Guacamaya typically releases its hacked data to the websites Enlace Hacktivista and Distributed Denial of Secrets (DDoSecrets). Each release is accompanied by a statement and sometimes a poem or video describing the hacking process. Initial Guacamaya statements focussed on environmental degradation caused by mining and the oppression of native peoples by the Global North. Later statements also identify Latin American military forces and government organisations as complicit in this oppression.

So far, so normal. What we’ve described so far is all compatible with a hacktivist group of above average competence on a tear. But given the long history of state-backed groups masquerading as activists, how can we be sure Guacamaya is actually a legitimate hacktivist group? There are a couple of red flags.

For starters, China has form when it comes to anti-mining influence campaigns. Back in June, we reported on a PRC campaign that “tried to motivate anti-mining sentiment targeting Australian, US and Canadian rare earth mining companies by stoking environmental concerns across social media including Twitter, Facebook and Instagram” (On Rare Earth Minerals Dominance, China Turns to Disinformation).

The use of Enlace Hacktivista to release stolen documents is also a bit suspect. The first leak ever published by the site came from Guacamaya, and the second leak was a dump of 200k-odd emails stolen from the Nauru police force. This anonymous hack and leak — as we discussed at the time — came just three weeks out from the 2022 Australian federal election. Australian cyber security company CyberCX (a former sponsor of this newsletter), however, examined the Nauru leaks and found “several anomalies that invite scepticism about the motivations of the threat actor and the integrity of the leaked data”. Although CyberCX did not find any information linking the hack to a state actor, one plausible explanation is that PRC-backed actors might have been trying to influence Australia’s election. (Australia has some controversial immigration policies that Nauru factors into.)

Oh, and Guacamaya used ProxyLogon to gain access to its first victim, a Swiss-based company that operates the Fenix mine in Guatemala. This exploit was widely used by PRC state-backed actors (although this is a pretty weak indicator, everyone loved ProxyLogon).

Nonetheless, there is an alignment of tactics and interests here.

Despite these red flags, however, it is not clear to us that the hacking of Latin American governments to reveal corruption would be in the PRC’s interests. And Hiram Alejandro also pointed out that the information stolen from governments hosted on Enlace Hacktivista was only being released by the site to journalists and researchers. Guacamaya released a statement, Alejandro said, that access would be limited “because this information in the hands of narcs [drug cartels], could put at risk innocent people”.

In fact, these days Enlace Hacktivista asks people to contact DDoSecrets to get access to Guacamaya’s government-related leaks. Alejandro was confident that vetting was occurring as when he tweeted about some of his findings other people contacted him for the source information because they couldn’t get access any other way.

“Some people contacted me asking me for the information because Enlace Hacktivista denied… them the information,” he says.

And the (almost 2 and a half hour-long!) video that Guacamaya released for the hack of the Fenix mine makes us think that Guacamaya is legit. It provides hacking instructions to inspire others to emulate Guacamaya’s actions and has a real Phineas Fisher vibe.

It is also, at times, funny. When they discovered Advanced IP Scanner was already installed on a target, Guacamaya commented that “sometimes living off the land feels more like glamping” (40:30). The group even vaped computers on Fenix’s network three separate times, twice of those seemingly for comedic effect. The first time Guacamaya used Kaspersky’s “Wipe Data” feature. The second time, while listing the options available Guacamaya wrote “Also, Bitlocker, being Microsoft’s official ransomware offering, is allowed. We went with BitLocker since it seemed like more fun…” (1:24:20).

We’ve not yet seen a Chinese state-sponsored actor with a sense of humour.

Updated on 2022-10-14: Guacamaya leak exposes Australian police ops

A large collection of classified documents taken from the Colombian government and leaked online by the Guacamaya hacktivist group has inadvertently exposed details about criminal investigations into Colombian drug cartels and the personal details of police agents from several countries, the Sydney Morning Herald reported. Read more: Secret agents targeting drug cartels in Australia exposed in data hack

“The leak contains details of 35 Australian Federal Police operations, some ongoing, as well as surveillance reports from undercover agents, phone taps and payroll records for Colombian law enforcement officers. Many overseas police agencies are also affected.”

Updated on 2022-10-10: Guacamaya leaks expose Chile’s spyware secrets

OCCRP reporter Jurre van Bergen has a nice Twitter thread on how a recent leak from the Guacamaya hacktivist group has exposed the Chilean government’s dealings and courtship of spyware vendors, including Xmartlab, an NSO Group reseller.

Updated on 2022-10-09: Mexico’s military hack exposes abuse

A significant breach hit the Mexican military with reams of its data now online. The hack exposes the inner workings of the country’s secretive military, including leaked emails that show how Mexico was using the Israel-built spyware Pegasus to spy on journalists. Hackers who go by the name Guacamaya, who released a manifesto about protecting the environment, published the files online, some of which relate to the Mexican president’s health, which led to his hospitalization earlier this year. Some 10 terabytes were released, the hackers said, and reveal efforts to evade oversight amid considerable corruption. Read more:

• Mexico Military Is Hacked, Exposing Abuse and Efforts to Evade Oversight
• “THE STRUGGLE OF ONE TERRITORY MUST BE THE STRUGGLE OF ALL”
• Hack puts Latin American security agencies on edge

Overview

Guacamaya hacker group pilfered highly confidential government information from several military and government agencies across several Latin American countries, confirmed Mexican President. Read more: Guacamaya hacktivists stole sensitive data from Mexico and Latin American countries