Costa Rica, A Country Without an Army, Is At War With (Mainly) Russian Hackers

The Russia-based hacker group Conti’s cyberattack on Costa Rica continues to metastasize, spreading to 27 government institutions.

Big things are happening in the small Central American country of Costa Rica that could end up having global repercussions. In April the country suffered a crippling ransomware attack against its finance ministry. Weeks later, the country’s incoming President (and former World Bank economist) Rodrigo Chaves Robles announced that Costa Rica is now locked in a digital war with Conti, a Russia-based group of hackers.

“We’re at war and this is not an exaggeration,” Chaves said in his inaugural speech on May 8. The war, Chaves continued, “is against an international terrorist group, which apparently has operatives in Costa Rica. There are very clear indications that people inside the country are collaborating with Conti.”

This is a powerful statement coming from the head of state of a country that hasn’t had a standing army since 1948 and which prides itself on its peaceful nature. Together with Panama, Costa Rica is one of only two countries in Latin America that doesn’t have an army of its own. This means it is disproportionately dependent on US “assistance” in security matters (h/t Jacob Hatch).

Metastasis

In recent weeks the Conti cyberattack has continued to metastasize, spreading to 27 government institutions, nine of which have been “seriously affected,” according to Chaves. The departments targeted include the treasury, labor ministry, tax administration and the social security fund. The hackers have also brought down certain parts of Costa Rica’s electrical grid and have threatened to target private businesses in the country if the government doesn’t cough up.

Most importantly, the hackers have hijacked the Finance Ministry’s tax filing and foreign trade systems. As a result, the Ministry has been unable to digitally collect tax payments and customs receipts since April 18. It is also unable to verify budget results without use of its online services. Over a month after the initial attack, only some of the services have been restored.

When the attack began Chaves’ predecessor, Carlos Alvarado Quesada, refused to pay the $10 million ransom demanded by Conti. In response, Conti released 97% of the data it had infiltrated while doubling their initial ransom demand to $20 million. If that is not paid, they say they will bring down the Chaves government by scrapping the decryption keys that would reactivate government systems, plunging the country’s IT systems into chaos and further crippling the economy. Conti has also threatened to publish the forty-six remaining gigabytes of classified information online from highly sensitive departments of Costa Rica’s government.

The attacks have already had an “enormous” impact on foreign trade and tax collections in the country, said Chaves. According to a BBC World article (in Spanish), dozens of millions of dollars have already been lost as a result, which is a lot of money for a country with a GDP of just $61 billion.

Who Is the Conti Group?

The ransomware used in the attack, Conti, is believed to be distributed by the Conti Group, which is based in Russia but has members around the world, including, ironically, in Ukraine. According to the cyber security company Recorded Future, one of the gang’s Ukrainian members leaked internal chats after the group’s leaders posted an aggressive pro-Russian message on their official site after Russia’s invasion of Ukraine. The leaked messages suggest that Conti operates much like a regular company, with salaried employees, bonuses and performance reviews.

The US Department of State estimates that Conti has extracted more than $150 million in over a thousand ransom payments, making it the most expensive ransomware variant ever known. Here’s more from the National Interests Paul Brian:

Russia-based Conti is one of the most effective ransomware gangs in the world and has extracted huge sums from targets in every place and industry imaginable. It made waves for launching a devastating broadside in May of last year against Ireland’s health services, causing weeks of severe disruptions and an estimated $48 million in recovery costs. Ireland never paid the $20 million the group demanded at that time, and it is not fully clear how the Irish saved their system from the ransomware threats without paying.

As Marco Figueroa observed: “This group has shown itself to be a multi-layered organization that takes time to encrypt endpoints, servers, and backups. This complete control adds pressure to the victims to pay the ransom requested from Conti.”

The Conti gang is given free rein by the Putin administration and has largely evaded any serious consequences inside Russia for its criminal actions. While the closeness of its ties to Russia’s FSB security architecture and Cozy Bear (APT29) hackers remain in question, disclosed chat logs show that the group has agreed not to cross Russia’s geopolitical interests in return for the authorities turning a blind eye. The group has members in various countries outside Russia, and not all agree with the pro-Putin stand, but its general thrust is pro-Russian.

Why Costa Rica?

The attack against Costa Rica is widely believed to be financially driven. Costa Rica would certainly make for a curious choice of target for a state-directed cyberattack given the country has not had an army for 73 years. That said, the country has digitized its government services more rapidly than most of its Central American peers, although it has not invested nearly as much money in cyber security than more advanced economies, making it an easy target for the likes of Conti.

Continue reading on Naked Capitalism

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s