Cyberattack causes chaos in government systems in Costa Rica
SAN JOSE, Costa Rica (AP) — Nearly a week after a ransomware attack began that crippled Costa Rican government computer systems, the country has refused to pay a ransom as it struggles to implement workarounds and prepared as hackers began to release stolen information.
The Russian-speaking Conti gang claimed responsibility for the attack, but the Costa Rican government has not confirmed its origin.
The Ministry of Finance was the first to report problems on Monday. A number of its systems have been affected, from tax collection to import and export processes through the customs agency. Attacks on the human resources system of the social security agency and on the Ministry of Labor, as well as others followed.
The initial attack forced the Ministry of Finance to shut down for several hours the system responsible for paying a good part of the country’s public employees, which also manages the payment of state pensions. He also had to grant extensions for the payment of taxes.
Conti had not released a specific ransom amount, but Costa Rican President Carlos Alvarado said, “The Costa Rican state will not pay anything to these cybercriminals.” A figure of $10 million circulated on social media platforms, but did not appear on Conti’s site.
Costa Rican businesses worried about confidential information provided to the government that could be published and used against them, while average citizens worried that personal financial information could be used to clean up their bank accounts.
Christian Rucavado, executive director of the Costa Rican Chamber of Exporters, said the attack on the customs agency had collapsed the country’s import and export logistics. He described a race against time for perishables waiting in cold storage and said they still had no estimate of economic losses. The trade was still moving, but much slower.
“Some borders have delays because they’re doing the process manually,” Rucavado said. “We have asked the government for various actions such as expanding opening hours so that they can deal with exports and imports.”
He said that normally Costa Rica exports a daily average of $38 million worth of products.
Allan Liska, an intelligence analyst with security firm Recorded Future, said Conti was pursuing double extortion: encrypting government files to freeze agencies’ ability to operate and posting stolen files to the group’s extortion sites on the dark web if a ransom was not available. paid.
The first part can often be overcome if systems have good backups, but the second is trickier depending on the sensitivity of the stolen data, he said.
Conti typically rents out its ransomware infrastructure to “affiliates” who pay for the service. The affiliate attacking Costa Rica could be anywhere in the world, Liska said.
A year ago, a Conti ransomware attack forced the Irish healthcare system to shut down its IT system, canceling appointments, treatments and surgeries.
Last month, Conti pledged his services to support Russia’s invasion of Ukraine. This decision has angered cybercriminals sympathetic to Ukraine. It also prompted a security researcher who had been monitoring Conti for a long time to leak a massive treasure trove of internal communications between certain Conti operators.
When asked why Central America’s most stable democracy, known for its tropical wildlife and beaches, would be a target for hackers, Liska said motivation is usually more about weaknesses. “They’re looking for specific vulnerabilities,” he said. “So the most likely explanation is that Costa Rica had a number of vulnerabilities and one of the ransomware actors discovered those vulnerabilities and was able to exploit them.”
Brett Callow, ransomware analyst at Emsisoft, said he reviewed one of the leaked files from the Costa Rican Ministry of Finance and “there doesn’t seem to be much doubt that the data is legitimate.”
On Friday, Conti’s extortion site said it released 50% of the stolen data. He said it included more than 850 gigabytes of data from the databases of the Ministry of Finance and other institutions. “All of this is ideal for phishing, we wish our colleagues in Costa Rica good luck in monetizing this data,” he said.
This seemed to contradict Alvarado’s assertion that the attack was not about the money.
“My opinion is that this attack is not about money, but rather seeks to threaten the stability of the country at a point of transition,” he said, referring to his outgoing administration and performance. of the oath of the new president of Costa Rica on May 8. not achieve it. »
Alvarado hinted at the possibility that the attack was motivated by Costa Rica’s public rejection of the Russian invasion of Ukraine. “You also cannot separate it from the complex global geopolitical situation in a digitized world,” he said.
AP writer Frank Bajak in Boston contributed to this report. Sherman reported from Mexico.