The information of more than a quarter (28%) of Mexico’s population may be at risk following the leak of 2.3TB of data online by a hacktivist group, but Mexico’s cybersecurity and digital-technology agency, the Agencia de Transformación Digital y Telecomunicaciones (ATDT), downplayed the significance of any potential compromise.
On Jan. 30, a hacking collective known as the Chronus Group reportedly posted documents and data from at least 25 different government institutions in Mexico, some of which included names, telephone numbers, addresses, dates of birth, and proof of registration in Mexico’s public universal healthcare system, Instituto Mexicano del Seguro Social (IMSS) Bienestar. The ATDT, however, refuted the characterization of the data, stressing that their analysis indicated that the information is not a new breach but a collection of data from previous breaches.
“No publication of sensitive data has been identified,” the agency stated in its response (translated). “The affected systems are primarily obsolete systems developed and administered by private entities for state-level government bodies.”
The alleged breach highlights the devolving threat landscape for Latin American organizations, which have become the top target of cybercriminals and hackers worldwide, with an average of 3,065 attacks per week. In addition to cybercriminals, hacktivists and nation-state actors — such as China’s Panda groups — have increasingly targeted organizations in the region.
Detections of information stealers and other malware designed to steal credentials and data reached their highest levels in late 2024 for Mexico and its neighbors, such as Peru, and continue to be a major threat today, says Camilo Gutiérrez, field chief information security officer (CISO) for Latin America at cybersecurity firm ESET.
“The threat landscape facing Mexico is frequent, diverse, and growing, composed of both traditional vectors and new forms of attack that evolve rapidly, reinforcing the need for continuous strengthening of defensive and detection capabilities across public and private sectors,” he says.
A Modern Hacktivist Group
The Chronus group is a loose collection of like-minded hackers that blur the line between hacktivism and cybercrime and which appeared as early as 2021, according to threat intelligence firm Recorded Future. While some of its members sell databases and credentials on Dark Web forums, they have advertised themselves as a “cyberterrorism” group, says one Recorded Future threat analyst, who asked to remain anonymous due to security concerns.
“They want to spread the FUD — fear, uncertainty, and doubt — because they know that’s going to grab headlines,” the analyst says. “They know that the power of social media reposting things gets their message out. … Now that this dust is starting to settle, the due diligence is happening and … this [incident appears to be] not what they’re saying.”
Chronus has not risen to the level that threat analysts are tracking them as a group, but in the past six months or so, their activity has increased, says ESET’s Gutiérrez. Like some of the Op hacking groups that formed in the wake of specific conflict, such as OpRussia and Op India, Chronus appears to be a loose affiliation of hackers focused on the Mexican government.
“Rather than being an actor with a clearly identifiable technical signature, it seems to operate as a name used in forums and local reports to group together a series of leaks and threats mainly directed at Mexican institutions,” he says.
In this case, however, the hacker collective appears to have oversold the extent of the breach. The initial breach claims — if the data had been current and sensitive — could have had significant impact on Mexican citizens, but so far there has been no confirmed publication of information classified as critical, according to ATDT.
Over-Promised, Under-Delivered
Such tactics are typical of hacktivists groups coming together for an Op, says the Recorded Future analyst.
“Threat actors and hacktivist groups will kind of bundle [breaches] all together [and are] very quick to move and announce that they’ve done something,” he says. “They obviously want [to] increase their brand, their capabilities, but then you start seeing as the dust settles, like OK, is it really that sensitive?”
As the lead cybersecurity agency for defense of government organizations in Mexico, the ATDT appears to have revoked compromised access credentials, and provided incident response and remediation to the government agencies that may have been compromised, says Gutiérrez.
These measures are consistent with a first phase of incident management, although they are not necessarily enough to address the government’s deeper cybersecurity problems, he says.
“There was not necessarily a massive intrusion into the government’s main systems, but there were [likely] improper accesses to specific platforms, decentralized environments, or third-party services that handle government data,” he says. “The case deserves serious attention because of the amount of information involved and the lessons it leaves about the digital resilience of the public sector.”
Most companies in Latin America do not have faith in their organizations and government agencies to protect them, with a recent study finding that Latin American cybersecurity experts have the least confidence in their nation’s cyber capabilities compared to their global peers. If ATDT continues to be transparent, security professionals’ confidence could rise. Yet, if the data turns out to be more sensitive than the government asserts, an increase in fraud could continue to undermine faith in their response.
