“A Chilean cybersecurity company alerted (of the vulnerability) in August 2021 (…) The EMCO chose to leave it open.”
The explanation corresponds to the Guacamaya hacktivist group, a collective that leaked more than 400,000 reserved emails from the Joint Chiefs of Staff (EMCO), an advisory body to the Ministry of Defense on matters of the Armed Forces.
Through a mail-response sent to the BioBioChile Research Unit, the group not only confirms that the computer attack occurred in May of this year, but also reveals negligent action by EMCO. This, by not taking concrete actions in the face of a vulnerability detected and reported to public institutions almost a year before the hack.
Information collected by this means even points to a failed tender in December 2021 to review and repair the mail servers that would later be targeted by cyber-attackers. The public contest never saw the light: it had to be revoked just days later due to “budgetary” problems.
Alerts ignored?
According to information compiled by BBCL Investigates, the history of the hack dates back to mid-2021, when at the head of the EMCO was the current commander in chief of the Army, Javier Iturriaga.
It was on at least two occasions that different entities warned of a vulnerability in the Microsoft Exchange mail servers, the same system that the EMCO uses to host its communications via e-mail.
The first alert dates back to July 13 of that year, when the Computer Emergency Response Team (CSIRT), under the Ministry of the Interior, reported a series of software vulnerabilities, including Exchange.
The risk was “high”, according to the alert issued by the government agency. In good accounts, they called for quick action on the part of the public departments, so that they installed the corresponding security updates (or “patches”). All this, with the purpose of avoiding attacks that might precisely exploit that vulnerability.
The same thing happened almost exactly a month later. In August 2021, the cybersecurity company CronUp warned of the “massive exploitation” of “a critical security flaw” in Exchange servers that allowed remote code execution.
Here, too, the firm called on state entities to install the patches. On the occasion, CronUp detailed that in Chile “90 Microsoft Exchange servers are still vulnerable (…) which might allow an attacker to gain initial access to the corporate network.”
“They should patch as soon as possible”the notice read.
A failed tender
Almost five months following the first alert, the EMCO seems to have taken action on the matter. At the beginning of December of that same year, when Defense was led by Minister Baldo Prokurica -under the government of Sebastián Piñera- the Joint Chiefs of Staff called for a tender that might have changed the destination of the post office.
According to the public tender file -analyzed by the BioBioChile Research Unit-, the idea of the work was precisely to maintain and repair the Exchange mail servers.
The work would take place in the EMCO offices. On the 8th floor, at least four physical servers awaited maintenance. Two other, but virtual, were also among the pieces to be supervised.
For this, the organization put on the table 4,500 dollars, which to date is equivalent to almost 4.5 million Chilean pesos. However, everything was no less than two weeks later: the advisory body of the Ministry of Defense decided to revoke the process.
Through a resolution – dated December 15, 2021 and signed by the director of general support, Colonel Mario Jorquera Solís – the Joint Chiefs of Staff ended the call for tenders.
In the three-page brief, they argued that “in the terms offered, it is not possible to execute the budget expenditure before December 31, 2021.”
Namely, a bureaucratic problem prevented -at least on that occasion- the maintenance of the servers. Five months later, the Guacamaya group breached EMCO’s security systems and managed to download more than 400,000 emails from the agency. A chronicle of an announced hack.
Required by possible responsibilities of the commander in chief of the Army, Javier Iturriaga, from the military institution they declined to issue statements. They argued that the hacking is a matter of EMCO and that there are ongoing investigations. Similarly, this medium contacted the Ministry of Defense to find out if following the revocation of the tender, any type of maintenance was carried out on the equipment. Until press time, there was no response.
Read the document:
hackers speak
The BioBioChile Investigation Unit spoke via e-mail with the Guacamaya group, responsible for leaking 10 Terabytes of email from the armed forces and police in at least five Latin American countries. These include Colombia, El Salvador and, of course, Chile.
In their response, the hacktivists confirm that the attack occurred between May 7 and 16 this year. In the following days, they say, the content was made available to the website who finally decided to release them to the public light on September 19 just last.
The group says that they detected a security flaw in port 443, which meant a “free pass” for downloading mail. Something that was confirmed by sources familiar with the matter to BioBioChile.
Thus, the group claims not to see the failure as a vulnerability, but as “a more operational alternative to the Transparency Law, to comply with article 8 of our unbeatable Constitution (Chilean Policy)”.
“We understand that this is also the interpretation of the Army,” they say ironically, hinting at negligent action by the Joint Chiefs of Staff. This, considering the alerts issued by different organizations to close security gaps.
With everything, “the EMCO chose to leave it open”they assure.
Regarding the repercussions of the hacking, they indicate that the media coverage is “confusing” for them, pointing out that “the job of journalism is to inform the people.”
“We see that only some of them have done this: report the content of the emails. In general, the media have only been concerned and have emphasized questions of ‘how is it possible for the people to be informed of the operations of their armed forces?’ and ‘what measures can be taken so that this does not happen once more?’”, they criticize.
“The right-wing media blaming the minister and the President; those on the left at the command of the Army”, they reflect.
Our comments are a space for conversation and debate. We welcome constructive criticism, but reserve the right to remove comments or block users aggressive, offensive o abusive.