WASHINGTON – A Russian hacking cartel carried out an extraordinary cyberattack against the government of Costa Rica, crippling tax collection and export systems for more than a month and forcing the country to declare a state of emergency.
The ransomware gang Conti, which is based in Russia, claimed credit for the attack, which began on April 12, and threatened to leak the stolen information until it paid $ 20 million. Experts who tracked Conti’s movements said the group had recently begun to shift its focus from the United States and Europe to countries in Central and South America, possibly to retaliate against nations that have supported Ukraine.
Some experts also believe Conti feared a crackdown by the United States and was seeking fresh targets, regardless of politics. The group is responsible for more than 1,000 ransomware attacks worldwide that have led to more than $ 150 million in revenue, according to estimates from the Federal Bureau of Investigation.
“The ransomware cartels figured out multinationals in the US and Western Europe are less likely to blink if they need to pay some ungodly sum in order to get their business running,” said Juan Andres Guerrero-Saade, a chief threat researcher at SentinelOne. “But at some point, you are going to tap out of that space.”
Whatever the reason for the shift, the hack showed that Conti was still acting aggressively despite speculation that the gang might disband after it was targeted at a hacking operation in Russia’s war on Ukraine in the early days. The criminal group, which pledged its support to Russia after the invasion, routinely targeted businesses and local government agencies in breaking into their systems, encrypting data and demanding a ransom restore it.
Of the Costa Rica hacking, Brett Callow, a threat analyst at Emsisoft, said that “this is probably the most significant ransomware attack to date.”
“This is the first time I can recall a transomware attack resulting in a national emergency,” he said.
Costa Rica has said it has agreed to pay the ransom.
The hacking campaign took place after Costa Rica’s presidential elections and quickly became a political cudgel. The previous administration releases its first official news in an attack downplayed, portraying it as a technical problem and projecting an image of stability and calm. But the newly elected president, Rodrigo Chaves, began declaring his term by a national emergency.
“We are at war,” Mr. Chaves said during a news conference on Monday. He said 27 government institutions had been affected by the ransomware attack, nine of them significantly.
The attack began on April 12, according to Mr Chaves’ administration, when hackers who said they were affiliated with Conti broke into Costa Rica’s Ministry of Finance, which oversees the tax system. From there, the ransomware spreads to other agencies that oversee technology and telecommunications, the government said this month.
Two former officials with the Ministry of Finance, who were not authorized to speak publicly, said the hackers were able to gain access to taxpayers’ information and interrupt Costa Rica’s tax collection process, forcing the agency to shut down some databases and resort to using About 15-year-old system stores revenue from its largest taxpayers. Much of the nation’s tax revenue comes from a relatively small pool of about a thousand major taxpayers, making it possible for Costa Rica to continue tax collection.
The country also relies on exports, and the cyberattack forced customs agents to do their work solely on paper. While the investigation and recovery are underway, taxpayers in Costa Rica are forced to file their tax declarations in person at financial institutions rather than relying on online services.
Mr. Chaves is a former World Bank official and finance minister who has promised to shake up the political system. His government declared a state emergency this month in response to the cyberattack, calling it “unprecedented in the country.”
“We are facing a situation of unavoidable disaster, of public calamity and of internal and abnormal commotion that, without extraordinary measures, cannot be controlled by the government,” Mr. Chaves’ administration said in its emergency declaration.
The state’s emergency allows agencies to move quickly to remedy the breach, the government said. But cybersecurity researchers said a partial recovery could take months, and that the government might never fully recover its data. The government may have some of its backup taxpayer information, but it would take some time for those backups to come online, and the government would first need to ensure it had removed Conti’s access to its systems, researchers said.
Russia-Ukraine War: Key Developments
In Mariupol. The bloodiest battle of the war in Ukraine ended in Mariupol, as the Ukrainian military ordered fighters holed up at a steel plant in the city to surrender. Ukraine’s decision to end combat gave Moscow full control over a vast sweep of southern Ukraine, stretching from the Russian border to Crimea.
Paying the ransom would not guarantee a recovery because Conti and other ransomware groups have been known to withhold data even after receiving a payment.
“Unless they pay the ransom, which they have stated they have no intention of doing, or backups that are going to enable them to recover their data, they are looking at total, permanent data loss,” Mr. Callow said.
When Costa Rica refused to pay the ransom, Conti began to threaten its data online, posting some files it accepted stolen information.
“It’s impossible to look at the decisions of the administration of the president of Costa Rica without irony,” the group wrote on its website. “All this could have been avoided by paying.”
On Saturday, Conti raised the stakes, threatening to delete the keys to restore the data if it did not receive payment within a week.
“With governments, intelligence agencies and diplomatic circles, the debilitating part of the attack is really not the ransomware. It’s the data exfiltration, “said Mr. Guerrero-Saade of SentinelOne. “You’re in a position where presumably incredibly sensitive information is in the hands of a third party.”
The breach, among other attacks carried out by Conti, led the US State Department to join the Costa Rican government in offering a $ 10 million reward to anyone who provided information that led to the hacking group of key leaders.
“The group perpetrated a transomware incident against the government of Costa Rica that severely impacted the foreign trade by disrupting its customs and tax platforms,” Ned Price, a State Department spokesman, said in a statement. “In offering this award, the United States demonstrates its commitment to protecting potential transitware victims from exploration around the world by cybercriminals.”
Kate Conger reported from Washington, and David Bolaños from San José, Costa Rica.