By Francisco Hernández | 2025-05-13

GUATEMALA CITY -- A cyberattack on Guatemala's Foreign Ministry (MINEX) by the China-based hacking group APT-15 has drawn serious concern from security watchers, who warn that the breach may have geostrategic implications given Guatemala's diplomatic ties with Taiwan, Israel and the United States.

On April 29, Guatemalan officials, in coordination with the United States, confirmed that the ministry's computer systems had been compromised by APT-15, also known by aliases including Vixen Panda, Nickel and Nylon Typhoon.

The US embassy in Guatemala stated on X that a joint cybersecurity review with the US Department of Defense determined that the attack had fully penetrated the ministry's digital infrastructure. The embassy attributed the intrusion to Chinese cyber espionage actors.

"During the review, the joint team identified the presence of advanced persistent threat APT-15… within certain Guatemalan government systems. This group, associated with China, has been linked to intrusions of government organizations across the globe, with a focus on Central and South America," the embassy said in a statement released on April 29.

The cyberattacks targeting MINEX began at a politically sensitive moment, in the lead-up to the 2023 presidential elections that ultimately brought Bernardo Arévalo of the Semilla movement to power, Pedro Trujillo, a professor of 20th-century history and geopolitics at Francisco Marroquín University in Guatemala City, told Entorno.

Guatemala's international alignment

China was the only actor with a strategic interest in launching such an operation, Trujillo, who formerly served as dean of the university's Faculty of Political Studies, International Relations and Journalism, said.

"The strategic vector of Guatemala's foreign policy is what's at stake," he noted, pointing to the country's longstanding diplomatic ties with Taiwan, the United States and Israel.

For China, Trujillo added, "understanding the direction of the incoming government's foreign policy was critical, particularly given Beijing's sustained pressure across Central America to isolate Taiwan and secure formal diplomatic recognition."

Beyond the immediate security implications, he warned, the attacks strike at the core of Guatemala's international alignment. It is not just about data; it is about geopolitical influence.

"The strategic vector of international relations," said Trujillo. "That's the most fundamental issue here."

The cyberattack on MINEX underscores China's growing efforts to expand its influence in Central America, a region where "the diplomatic balance is delicate," the digital news outlet Centroamérica360 reported on April 29.

"Guatemala is Taiwan's strongest ally in Central America and the Caribbean," the outlet noted of an alliance that has long been a point of tension with Beijing.

Guatemala City and Taipei established diplomatic relations in 1960 and have since deepened cooperation in trade, investment, education and defense. During the past six decades, Guatemala has repeatedly reaffirmed its support for Taiwan in international forums, often in defiance of mounting pressure from China.

The hacking group known as Vixen Panda, linked to Beijing and identified as part of the APT-15 cyber espionage network, has previously targeted entities connected to countries around China's Belt and Road Initiative, including government agencies, energy firms, military institutions and financial organizations, Centroamérica360 reported.

The group's activity, the report added, reflects its broader mission: to conduct political and economic espionage against countries aligned with or critical to China's global infrastructure ambitions.

China's silent offensive

A pattern of sophisticated cyberattacks on Guatemalan government institutions, linked to Chinese state-sponsored groups, has been under way since at least 2022, according to national intelligence sources, local media and cybersecurity analysts.

Details remain classified for national security reasons, but public records confirm a sustained campaign targeting MINEX and other state entities.

"Although neither Guatemala nor the United States has specified when the breach occurred, MINEX publicly acknowledged in October 2022 that it had suffered a cyberattack that disrupted several digital services," Prensa Libre reported in an article published on April 30.

The incident formed part of a broader surge in cyberattacks. A report by Check Point Research, cited by Prensa Libre in December 2023, recorded 6,316 cyber intrusions in Guatemala over a six-month span, with almost 60% targeting government entities.

This backdrop reinforces recent warnings by President Arévalo, who declared during a cybersecurity training event in late April: "We are not talking about theoretical speculation or future risks. We are talking about active threats."

APT-15 has operated in Latin America for at least three years, exploiting common vulnerabilities in virtual private networks as well as in Microsoft Exchange servers and SharePoint systems.

APT-15's operations align with Beijing's geopolitical goals. Rather than merely stealing data, the group seeks intelligence that advances China's strategic interests, from trade negotiations to military planning. Its attacks often begin with spear-phishing emails and escalate into long-term surveillance operations enabled by shared malware infrastructure.

In addition to Guatemala, APT-15 has been active in Chile, Argentina, Mexico, Peru and Colombia, underscoring what analysts describe as a systematic campaign of digital influence projection in the region by China.