“Secret Folders”: the technical report of the Office of the Attorney General

Ten hard drives, five cell phones, eight sim cards, 12 USB sticks, a micro SD memory, 316 DVD and compact discs – including eight found inside a gray safe – 189 pages of documents and five arduinos (boards that can be programmed for Windows, Mac or free software): this was the material that the Office of the Prosecutor of an Army Cyber ​​Intelligence battalion took away on December 18, at the request of Judge Cristina Lombana, member of the Special Instruction Chamber of the Court Supreme Justice. (The military that left the Army in the midst of the new scandal of “bullshit”)

That is the initial information that lies in a 62-page report that the Office of the Attorney General sent to Judge Lombana on May 4, just after the magazine Week It will publish an investigation entitled “Secret Folders”, in which it revealed that Army military intelligence has carried out computer monitoring of more than 130 people, including journalists, trade unionists and even politicians close to President Duque, such as Ambassador Jorge Mario Eastman. The report, known in its entirety for The viewer, it is also in the hands of the Prosecutor’s Office.

This is essentially a technical report, requested by the magistrate Lombana herself as soon as the stage had ended in the Cyberintelligence Battalion located in Facatativá (Cundinamarca). Lombana arrived there with a judicial police made up of officials from the Office of Special Investigations of the Office of the Attorney General and from the Police Department based on an anonymous complaint she received in her institutional email the day before the raid, on December 17, 2019. In the message, revealed by this newspaper, there were details that caught his attention.

According to the anonymous, the information that rested in that and other military units also had to do with the case of shootings by the Army of people related to the peace negotiations with the FARC. An episode known under the name Andrómeda, for which the hacker Andrés Sepúlveda was sentenced to 10 years in prison after admitting charges and which generated ex-president Álvaro Uribe a preliminary investigation that today is in the hands of magistrate Lombana. With all those items on the table, Lombana ended up in the Cyber ​​Intelligence Battalion.

In what the Office of the Attorney General seized and submitted to forensic analysis, a specific mention of the Andromeda issue appears. It is a three-page letter labeled “Exclusive to the Colombian Military Forces Command, National Army, Technical Intelligence Battalion No. 3”. It was prepared on January 24, 2014, that is, just one day after the CTI dismantled the premises that military intelligence had rented in the Galerías neighborhood, in northwestern Bogotá, to from there illegally intercept communications from related people with the peace process. (

The recipient of the document, the report indicates, was General (r) Jorge Andrés Zuluaga López, a reputed officer who participated in Operation Jaque and, by the time the CTI of the Prosecutor’s Office exposed the Andromeda facade, commanded the Central Intelligence Technique. The sender of the office was Colonel Kurman Hernán Rivera Alfonso, then commander of the Technical Intelligence Battalion No. 3, called for questioning when the Andromeda scandal broke out, which occurred in February 2014. That is, a month after the CTI will find the site.

“Rivera Alfonso [quien, al parecer, tuvo a cargo la operación Andrómeda] it gives a detailed report of the activities carried out by CTI officials on January 23, 2014, at the site known as ‘Buggly Ethics Hacking’ (…) where the aforementioned said the façade within the Andromeda operation worked. ” Colonel Rivera Alfonso, for his part, gave instructions to the then-major Joany Alonso Guerrero “on how he should act under this situation and, likewise, the latter [Rivera Alfonso] reported the situation to the general [Zuluaga] via telephone”. (General Gonzalo García Luna: one of the “bomb” men of espionage in Colombia?)

“In one part of the office, Mr. TC [teniente coronel] Rivera Alfonso makes it very clear to the BG [brigadier general] Zuluaga López that during the raid, the façade did not burn and that in the seized computers there was no information obtained in compliance with the functions of the company, nor is there evidence of the carrying out of illegal activities, ”explains the report of the Office of the Attorney General, time that indicates that one day after the CTI raid, officer Rivera Alfonso called an urgent meeting at the Bogota Military Club.

There, he met a corporal named Michael Beltrán Pachón and a lawyer whose name reappeared in the raid on the Cyberintelligence Battalion: Hernando Cucunubá, identified at the time as “in charge of legal advice.” The litigator, assured Week In January of this year, he tried to hinder the diligence of Judge Cristina Lombana and has also been a lawyer for one of the five colonels that the Ministry of Defense withdrew from the Army a few days ago in connection with the “Secret Folders” scandal. : Milton Eugenio Rozo Delgado.

Perseus, Theseus and other computer tools

“From the evidence analyzed, it can be inferred that the Cyberintelligence Battalion (BACIB) of the Colombian National Army, located in (…) Facatativá (Cundinamarca), has the ability to access email accounts.” That was the general conclusion reached by the Office of the Special Investigations of the Office of the Attorney General in its report. It assigned five people to dedicate themselves headlong to this material, which was so extensive that it led them to ask Magistrate Lombana for an extension to submit this final report.

The Office of the Attorney General set about the task of making forensic images (mirror copies) of everything that was seized in this military unit. In many of the devices it was not found with information “of relevance to the case”, but others, apparently, yes. On the hard disk that belonged to a sergeant named Sergio Reyes Fandiño, for example, “databases were found with identifiers belonging to people from the government of other countries (Venezuela, Ecuador, Nicaragua, Russia, Turkey, United States), of the military and photos of a tribute to Dilan Cruz in Neiva. (“National security would have been put at risk”: Carlos Holmes Trujillo)

On that same hard disk there was a radiogram of Colonel Benjamín Ramírez Villalobos, from 2019, in which it was prohibited to “remove fiscal material belonging to BRIMI1”. In the anonymous letter received by Judge Lombana, it was mentioned that in the Military Intelligence Brigade No. 1 (Brimi 1), illegal activities were being carried out on communications from people who were unjustifiably on the Army’s radar. And, on that same hard drive, there were screenshots of chat images “allegedly of people belonging to the Venezuelan government.”

From that device, three technical tools that the Army has used to intervene communications, in theory, of “legitimate targets” were also revealed: Perseus, Orisis and Cerberus. As revealed Snail News a couple of days ago, there are the photographs of the passports of people like former President Ernesto Samper -more people who work with him- and an officer of the International Monetary Fund, Antonio Pancorbo de Rato; the passport of the Spanish citizen Joaquín Gutiérrez García and the Argentine citizen Cristina Alejandra Fahile.

Likewise, it was learned that people from the Army had met “with Mr. Moshe Sahar at the Reyzone company [sic] in the city of Bogotá in order to analyze the Geomatrix tool of the geolocation system ”. It is an Israeli company, whose main headquarters are located in Tel Aviv, which promotes itself as a manufacturer of “cyber and intelligence solutions for federal and government agencies.” And finally, on that hard disk were found unedited operating orders that had appeared on other edited devices.

On the external hard drive of Sergeant Wílmar Lean Neiva, the name of another wiretapping tool appeared: Theseus. In that of Sergeant Hernández Galván, who was transferred and replaced by Sergeant Luis Montoya Parra, by order of Colonel (r) Milton Rozo, there are “certifications signed by different officials stating that BRIMI-1 does not have the capacity, missionary and authorization, among others, that allow the interception of communications. ”

This is one of the devices that could be compromising for the Army. There are references to “information collected from targets that were not framed in the mission,” or reports classified as top secrets “in which they clearly indicate the objectives or threats that were the subject of cyber intelligence work.” And then the report points out: “However, there are requirements related to information searches for targets that do not refer to which target they belong to.”

In a necessity plan of the Cyberintelligence Battalion consigned in that hard disk it is spoken of “Invisible man” (Invisible Man), a software specialized in intervening equipment such as computers or cell phones without leaving a trace. Acquiring it, which happened in 2019, was one more step of the cyber defense plan that began to be woven in the Army in 2011. It was done through direct and reserved hiring and the purchase had to be top-secret, because, if it was known that it was in Army hands, would make the tool useless.

In the same apparatus, the “Sable Project” is spoken of, consisting of the “development of software that allows, through intrusive procedures, to collect information from computer systems of the threat anonymously for analysis and dissemination.” The above under the criteria in which the Operational Requirements of the Unit must be adjusted. ’” And Operation Troy: development of remote administration tools for Android with real-time access to obtain information from web pages.

Another hard drive was found in the personnel office and that part of the diligence was attended by Colonel (r) Milton Rozo. It explains that Android phones are monitored with Perseus, as with Osiris; that Légolas allows to generate a hyperlink to make a “passive recognition of the target machine”; that the Panzer project is a “computer intrusion” tool to even send files “to the adversary’s computer systems”; and that the basis of the Shark project is to create web pages to deceive the “adversary” and collect information from him.

In this device there are reports of activities that speak of, for example, there were “47 accesses to computer communication systems of the different war hypotheses ordered by the superior command (Rosa 25) (Dalia 6) (Lirio 16)”, which They released 18,748 files with data of interest to military intelligence that were forwarded to prosecution. War hypotheses, military sources explained to this newspaper, are external targets. That is, other countries, which in this case – they calculate – could be Venezuela and Russia, among others.

Some of the material disclosed by Semana in the “Secret Folders” edition appeared on the USB stick of Sergeant César Gutiérrez. For example, that files called “Special Case” and “Special Work” included “analyzes carried out on different personalities among journalists (nationals and foreigners), politicians and the military, as well as ordinary citizens.” The sources of these analyzes are, says the document, “examinations of the reactions on social networks of the aforementioned” and publications in the media. (The military attache in Washington comes out due to the “secret folders” scandal)

“It is important to highlight that within the format used for the presentation of the especiales special cases’, as well as the ‘special works’, it usually contains personal, family and publication information on social networks of people included in them. There are also records of “multiple” consignments in Davivienda and BBVA associated with three military operations to “people allegedly linked to the tactical unit under investigation, without the use of the resources exposed there being clear.”

In general, this is the material that appears related in the scientific technical report that the Office of the Attorney General Cristina Lombana delivered on May 4 and which, in turn, has already been forwarded to the Prosecutor’s Office. “This report has a strictly analytical and technical contextualization scope. It does not contemplate, among others, appraisals of the legal orbit, which should be evaluated, if required by that Office (that of the magistrate) for the process in question, ”warns, at the outset, the Office of the Attorney General.