On October 25, the Carabineros, Chile’s national police force, found itself in a compromising situation due to cyberattack. Along with the unrest the country was experiencing, a new crisis was brewing: a vast amount of information and data from the police force’s databases was appearing online.

Among the leaked information was a database containing the names and surnames, badge numbers, gender, and precinct of all the agents and officers of the police force, along with a list of credentials that would allow anyone to access the Carabineros’ online portal.

10,515 files of sensitive information_

Despite how serious it was, this first leak wasn’t the worst one. On October 26, just 24 hours later, the second breach took place. In this case, the source code of the electronic documentation platform, DOE, was leaked. This leak meant that anyone with a certain level of IT knowledge could access this website, consult the information there, and download internal police files. What’s more, the cybercriminals behind these leaks released a statement entitled “This is how they protect the country? Where’s the National Intelligence Agency (Dipolcar)?” The statement was accompanied with an image proving that they had accessed the database where all procedural information about Chilean citizens is stored.

As if that weren’t enough, a third, even more serious leak appeared: 10,515 files containing not just private Carabineros information, but also details about specific actions they had taken, as well as information about senior officials. Among the documents were commanders’ cellphone numbers, addresses for warehouses containing riot gear (hand grenades, cartridges, weapons…), patrol schedules, strategies for controlling protests, “people of interest”, secret communications codes, arms purchase contracts, routine reports, names and private information of officers sent to sensitive parts of the country, and home addresses of senior officials protected by the police. What’s more, there was private and personal information on people arrested over the last few years. All of this meant that Chile was dealing with the largest cyberattack in its history. It was even bigger than the attack on 13 Chilean banks in mid-2019, just months before this attack, in which over 42,000 credit cards were put at risk.

But the crisis hasn’t come to an end this year. As The Clinic revealed, the latest files, leaked in January, uncover a worrying suicide rate among agents—far higher than the average for the country as a whole. It also highlights increased alcohol consumption, and even a rape, all of which has inevitably damaged the force’s reputation.

The keys to avoid these cyberattacks_

So far, no details have emerged about the method used by the cybercriminals to access all the leaked information. What is clear, however, is that they were able to get onto the Carabineros’ IT systems and move around freely without being properly detected.

This event reveals the need for any public institution to be aware of the state of all its endpoints and all the processes that are running on them, even if no alarms are raised because of the use of illicit tools. In this sense, it is vital to combine automated analysis with human supervision by cybersecurity professionals. To respond to this need, at Cytomic we developed Cytomic Platform. This is a cloud-based platform that processes large volumes of data and threat intelligence analytics with artificial intelligence algorithms, which are able to correlate and analyze over 8 million interconnected events in real time. It can also classify applications based on their behavior, and search for any kind of suspicious activity by analyzing scalable data in the cloud, even if if there’s no evidence of malicious activity. Only with a strategy of this kind would it have been possible for the Carabineros to detect the possible intrusion before it was too late.

The cyberattackers_

With the damage already done, it didn’t take the Chilean police long to start investigating the cause of the leak and, more importantly still, the identity of the cybercriminal or cybercriminals who were behind the attack. At the start of December, almost six weeks after the crisis began, the 28-year-old Exequiel Plaza Ibáñez was arrested. At the time of the arrest, the police confiscated four computers, more than five cellphones, two iPads, several pen drives, hard drives, and almost 3 million Chilean pesos (around €3,500) in cash. He admitted to having created up to four different websites where he published the leaked databases.

But, does this mean he was behind the cyberattack? Not according to Anonymous. The collective shared a statement alleging that “the person arrested has no relationship with the event in question: all he did was to take the leaked data, organize it with consultative scripts, and index it. “We are the real culprits for the leak, but no members of Anonymous Chile have been arrested”.

Whoever was behind this attack, the key to avoiding this kind of incident is to combine human supervision with advanced technology that uses a proactive, zero-trust approach to analyze all running processes, evaluate parameters, detect anomalies or suspicious behavior, and act before any damage can be done.