WASHINGTON — A Russian hacking cartel carried out an extraordinary cyber attack on the government of Costa Rica, crippling tax collection and export systems for more than a month so far, forcing the country to declare a state of emergency.
The Conti ransomware gang, which is based in Russia, has claimed credit for the attack, which began on April 12, and has threatened to leak the stolen information unless it is paid $20 million. Experts following Conti’s moves said the group had recently begun to shift its focus from the United States and Europe to countries in Central and South America, perhaps seeking revenge on countries that have supported Ukraine.
Some experts also believe that Conti feared a crackdown by the United States and sought new targets regardless of politics. According to estimates by the Federal Bureau of Investigation, the group is responsible for more than 1,000 ransomware attacks worldwide that resulted in profits of more than $150 million.
“The ransomware cartels have found that multinational corporations in the US and Western Europe are less likely to blink if they have to pay an ungodly amount to keep their business going,” said Juan Andres Guerrero-Saade, a senior threat researchers at SentinelOne. “But at some point you’re going to tap into that space.”
Whatever the reason for the shift, the hack showed that Conti was still acting aggressively despite speculation the gang could disband after being the target of a hacking operation in the early days of Russia’s war against Ukraine. The criminal group, which supported Russia after the invasion, routinely targets businesses and local government agencies by breaking into their systems, encrypting data and making ransom demands to recover it.
Of the hacking in Costa Rica, Brett Callow, a threat analyst at Emsisoft, said “it may be the most significant ransomware attack yet.”
“This is the first time I can remember a ransomware attack that led to a national emergency,” he said.
Costa Rica has said it refused to pay the ransom.
The hacking campaign took place after Costa Rica’s presidential election and quickly became a political cudgel. The previous administration downplayed the attack in its first official press releases, portraying it as a technical problem and conveying an image of stability and calm. But the newly elected president, Rodrigo Chavezbegan his tenure by declaring a national emergency.
“We are at war,” Mr Chaves said at a news conference Monday. He said 27 government agencies were affected by the ransomware attack, nine of them significantly.
The attack began on April 12, according to Mr Chaves’s administration, when hackers alleged to have ties to Conti broke into Costa Rica’s Ministry of Finance, which oversees the country’s tax system. From there, the ransomware spread to other agencies overseeing technology and telecommunications, the government said this month.
Two former Treasury officials, who were not authorized to speak publicly, said the hackers had access to taxpayer information and interrupted Costa Rica’s tax collection process, forcing the agency to shut down some databases and to rely on an almost 15-year-old system to store the revenues of the largest taxpayers. Much of the country’s tax revenue comes from a relatively small pool of about a thousand major taxpayers, allowing Costa Rica to continue tax collection.
The country is also dependent on exports, and the cyber attack forced customs officials to do their work on paper only. While the investigation and recovery are ongoing, taxpayers in Costa Rica are being forced to file their tax returns in person with financial institutions rather than relying on online services.
Mr Chaves is a former World Bank official and finance minister who has pledged to shake up the political system. His government declared a state of emergency this month in response to the cyber attack, calling it “unprecedented in the country.”
“We are faced with a situation of unavoidable disaster, of public calamity and internal and abnormal unrest that cannot be controlled by the government without extraordinary measures,” the Chaves government said in its emergency statement.
The state of emergency will allow agencies to act more quickly to remedy the breach, the government said. But cybersecurity researchers said a partial recovery could take months and the government may never fully recover its data. The government may have backups of some of its tax information, but it would take some time for those backups to come online, and the government would first have to make sure it removed Conti’s access to his systems, researchers said.
War between Russia and Ukraine: important developments
In Mariupol. The bloodiest battle of the war in Ukraine ended in Mariupol, while the Ukrainian army ordered fighters holed up in a steel factory in the city to surrender. Ukraine’s decision to end the fighting gave Moscow complete control of a vast area of southern Ukraine stretching from the Russian border to Crimea.
Paying the ransom would not guarantee recovery as Conti and other ransomware groups are known to withhold data even after receiving a payment.
“Unless they pay the ransom, which they don’t plan to do, or have backups that they can use to restore their data, they may be looking at total, permanent data loss,” said Mr. callow.
When Costa Rica refused to pay the ransom, Conti threatened to leak his data online by posting some files he believes contained stolen information.
“It is impossible to look without irony at the decisions of the government of the President of Costa Rica,” the group wrote on its website. “All this could have been prevented by paying.”
On Saturday, Conti raised the stakes and threatened to remove the keys to recover the data if payment was not received within a week.
“In governments, intelligence agencies and diplomatic circles, the debilitating part of the attack really isn’t the ransomware. It’s the data exfiltration,” says Mr. Guerrero-Saade from SentinelOne. “You are in a position where it is believed that incredibly sensitive information is in the hands of a third party.”
The breach, among other attacks carried out by Conti, prompted the United States Department of State to partner with the Costa Rican government to offer a $10 million reward to anyone who provided information leading to the identification of key leaders of the hacking group.
“The group perpetrated a ransomware incident against the government of Costa Rica that severely impacted the country’s foreign trade by disrupting customs and tax platforms,” said Ned Price, a spokesman for the State Department. said in a statement† “By offering this reward, the United States is demonstrating its commitment to protecting potential ransomware victims around the world from being exploited by cybercriminals.”
Kate Conger reported from Washington, and David Bolaños from San Jose, Costa Rica.