Published by The Lawfare Institute
in Cooperation With
On Monday, Aug. 12, hackers leaked 700 GB of data obtained from the government of Argentina, including confidential documents, wiretaps and biometric information from the Argentine Federal Police, along with the personal data of police officers. The Twitter account of the Argentine Naval Prefecture was hacked as well, and used not only to share links to the stolen information but also to spread fake news about a nonexistent British attack on Argentine ships.
An operation combining the hacking of law enforcement agencies, an attempt to spread misinformation through social media and the leaking of large amounts of sensitive data on the “Deep Web” would seem to check all the boxes for a major news story. But you most likely have not heard about any of this.
The relative lack of media coverage about the hack is not actually surprising, considering the news dominating the discussion about Argentina this past week. Primary elections were held on Aug. 11, the night before the leak. Due to heavy polarization, most predicted that the election would be a tight race between the current president, Mauricio Macri, and his challengers, Alberto Fernandez and former President Cristina Fernandez de Kirchner (the latter running as Fernandez’s vice-presidential pick). By the end of the night, however, the opposition ticket had claimed a landslide victory: Macri received 32 percent of the vote, compared to the 47 percent boasted by the opposition. This past election does not formally change anything for either party. The purpose of the primaries is to filter out low-polling candidates and to settle internal primaries, and the general elections in October will see the same candidates face each other again. But the results signal that October will likely bring Kirchner back to power. While it is unclear whether Alberto Fernandez’s economic plan would mark a return to the populist measures that characterized Kirchner’s administration, the market’s reaction to these results was chaotic. On Aug. 12, Argentine bonds and stocks plunged, the value for the Argentine peso dropped sharply and companies lost $18.144 million in a day. Throughout the week, the political and economic aftermath of the election was what most Argentinians had on their minds.
In the midst of the ensuing turmoil, it is understandable that not much attention was initially paid to the short-lived hack of the Naval Prefecture Twitter account. However, allowing the story to fade in the background would be a disservice. What happened on Aug. 12 in Argentina not only has implications for the country’s own security but also serves as another data point for the ongoing discussion about how hacking and leaking operations should be understood and addressed.
On the night of Aug. 11, a public Telegram chat group appeared. A Twitter account would soon be compromised, the group’s founders announced. By noon on Aug. 12, it became clear what the message was referring to: The official Twitter account of the Argentine Naval Prefecture began posting a sequence of disconcerting messages, evidence that it had been hacked. The hackers had around 10 minutes to publish several tweets before the government regained control over the account; one of them shared some of the “LaGorraLeaks” (“La Gorra” is an Argentinian term used to refer to the police), a set of links that allegedly contained police officers’ personal data along with wiretaps, biometric information and classified documents, among other information. Another concerning message falsely informed the public about a British attack on Argentine ships.
“LaGorraLeaks” is the handle for the Twitter account that made the hacked documents known. And this is not their first rodeo. Back in 2017, the profile claimed to have hacked into the Argentine security minister’s account—although the consequences of such action were limited to posting unflattering messages about the minister. A few months later, the same profile leaked emails with information regarding the Organized Crime Division of the Argentine police. On Aug. 12, 2019, the account was busy retweeting news reports about its hack and sharing links to leaked data. A pinned tweet made public “#LaGorraLeaks2.0.” The user or users, who go by “[S],” claimed to have published 700 GB of information to the “Deep Web”—which, they assured, contained sensitive data relating to the Argentine Federal Police and the Buenos Aires City Police. It is worth pointing out that it is most likely that the hacker was actually referring to what is usually known as the "dark web," the portion of the web accessible only through anonymizing tools; the dark web is contained within the deep web, referring to content not indexed by search engines.
The account has now been suspended, but this has not deterred the group. A new Telegram public group was set up and further menacing texts sent out, hinting at future activity. Its founders posted obscure references to how “September will have a very amusing start,” argued that banking institutions are taking advantage of the state of the country and hinted at the preparation of something “very large” set to affect Argentina’s cybersecurity as never seen before. The chat also seemed to work as a recruiting space, where the self-described “Team” announced it was looking for people with specific capabilities and informed those reading the channel about a selection process to participate in the project. Whether this is actually an established organization or just banter among hackers is not clear.
On Aug. 12, the stolen data was shared both through [S]’s twitter account and the Naval Prefecture’s profile, although it has not been confirmed whether the hacks and the leak were carried out by the same person or organization. Even as of now, there does not seem to be a consensus regarding how precisely the leak of information occurred—some have even suggested that the whole thing might have been an inside job, rather than an actual exploitation of security vulnerabilities. A spokesperson for the Federal Police assured the press that the organization’s database has not been compromised; the data accessed was in the cloud, uploaded by what the spokesman vaguely called “peripheral dependencies.” There also seems to be some confusion about the relevance of the leaked information. Some news outlets reported that confidential information regarding ongoing investigations is now public, with some of the leaked information dated as recently as a month ago; others wrote that the hackers are publishing old data. Authorities from the Buenos Aires City Police, however, have denied that their databases were breached.
Local media was able to establish contact with the alleged hacker via email. Whoever was behind the screen responded under the alias Nicolái Lobachevski—the name of a 19th century Russian mathematician—and provided his side of the story. In terms of the methodology used to access the stolen data, “Lobachevski” replied that the process had taken months of silently accessing the police’s network, relying partly on his own knowledge and abilities and partly on the naivete of police agents and employees. Further, he assured that he is the same hacker from 2017 and claimed responsibility for the hacks both past and present. Finally, the hacker dismissed the chances of being caught, arguing that there was no risk and no margin of error.
“Lobachevski”/[S] claims that the intent behind his actions was to demonstrate the security flaws in the system and was motivated by the technical challenge it presented. This seems consistent with some of the content posted in his now-suspended account. Prior to the bulk of the leak, messages on the Twitter account made calls for the government to improve its security and even mentioned the possibility of reporting security vulnerabilities to the Security Ministry before brushing the idea aside.
Both the Federal Police and the Naval Prefecture have informed the press that there are already investigations underway to figure out what occurred, and that judicial procedures have been initiated.
These events should bring attention to three sets of concerns. First, the hacking and leaking of sensitive information could endanger the safety of law enforcement agents and affect the Argentine national security strategy. Second, the events provide an opportunity to explore the consequences of fake news being published through trusted channels such as official social media accounts of government institutions and authorities. Lastly, events of this nature should push forward the conversation about digital literacy and the portrayal of such issues in the media.
In the exchange between “Lobachevski” and the press, reporters raised the question of the risk that this leak poses for law enforcement—though the issue seemed to hold little significance for the alleged hacker. After acknowledging that the release of the data had created risks for these people, he went on to say that he did not care given that he does not like the police. In fact, the website hosting the leaked information also contained a manifesto proclaiming the oppressive nature of the police force and declaring that it should no longer exist.
The 700 GB leak contains an extensive list of data, allegedly including confidential documents, wiretaps, scanned documents, biometric information and files with personal information of police officers and their families. The scope and extent of the information that is now accessible presents serious security concerns, both for the country’s ability to conduct security operations and for the safety of the agents themselves. Local press reported that, indeed, files on 70 police officers comprised some of the leaked information, including the officers’ personal phone numbers, their addresses and the names of their partners and children. This breach of privacy exposes the officers to targeted attacks from both criminal organizations or reprisals for their work from those who do not like the police.
The fact that someone accessed and published such a great amount of information is in itself a grave concern. But there is a different threat to be considered as well, related to the proliferation of fake news.
The tweets sent out by the hacked Naval Prefecture account were more than just a way of informing the public about the leaked data or insulting law enforcement agencies. Before the government regained control over the account, the hackers posted that three Argentine ships had been attacked by British missiles, that Argentina had successfully responded to the breach of the country’s territory and that the president was on his way. They also stated that 27 officers had died.
To be fair, the tweet was not public for long, because authorities resumed their control over the account relatively quickly. It also doesn’t hurt that the Argentine Naval Prefecture’s account, with less than 100,000 Twitter followers, could hardly boast of a following that could make such a tweet have an impact. And it was hardly the intention of whoever was managing the account at that point to set in motion a proper misinformation campaign destined to wreak havoc—between the links to the data and the foul references to the security minister, the posts were clearly a result of the hacker’s activity rather than a convincing imitation of the Naval Prefecture. Nevertheless, the use of an authoritative channel to spread fake news over an issue as sensitive as a British attack on Argentina raises the possibility that a more carefully and well executed campaign with that purpose could be conducted.
The Naval Prefecture’s Twitter account reportedly did not have two-factor authentication, aiding in the hacker’s ability to gain access. If social media accounts belonging to other governmental agencies or even political figures also lack such security measures, the possibilities for exploitation are high. Recall that in 2013, a week after the Boston marathon bombing, a fake AP tweet claiming that an explosion at the White House had injured then-President Obama briefly caused a stock market crash. The use of trusted profiles to spread misinformation could have far-reaching effects, particularly during a delicate time. This does not, of course, mean that a malicious tweet will cause war or the collapse of society. But this kind of misinformation is a tool that can be exploited by those with bad intentions.
There are a range of pressing issues that rank higher in Argentina than the hacking of the Naval Prefecture’s Twitter. However, it is telling how the hack and leak were reported and discussed. A first group of reports basically replicated each other, providing a brief description of the facts and attaching several screenshots of both the hacked accounts and [S]’s own Twitter account. Most also included a superficial explanation of the “Deep Web.” Those reporters who put in the extra work provided a line describing the TOR browser, needed to access the leaked data.
Subsequently, there has been further reporting and explanation on the hacking and leaking, with outlets reaching out to security experts and unnamed sources within the government in order to paint a more detailed picture of what happened. Regardless, the considerations presented, at least on the public record, have barely scratched the surface of the national security concerns that should be taken into account now that sensitive information is available. Nor has there been any conversation about the infrastructure vulnerabilities that allowed this to happen in the first place.
Given that investigations into the hack are ongoing, it may be too early to assign blame for this particular incident. But many different elements contributed to this situation. On the one hand, according to “Lobachevski,” accessing the Federal Police’s database took months; this signals some level of proper cyber protection. How exactly did this breach happen, and how was a months-long intrusion not detected? Comparatively, hacking the Naval Prefecture’s Twitter was no problem at all, if the media reports on the account’s low security settings are accurate. Simple fixes such as establishing two-factor authentication and password protocols could go a long way if implemented in a systematic and institutionalized fashion across Argentine government agencies.
Ultimately, this is not only a question of improving technical cybersecurity in some areas. After all, governments across the world struggle with similar issues—even those that can boast of advanced defenses. What should cause concern in this case is the apathetic response with which these events were met. If 700 GB of government information can be leaked without any response or outcry—not even the beginnings of a conversation on cybersecurity—this is indicative of an underlying problem. Not much can be fixed if no one cares.