Russian Hacking Cartel Attacks Costa Rican Government Agencies

WASHINGTON — A Russian hacking cartel has carried out an extraordinary cyberattack on the government of Costa Rica, crippling tax collection and export systems for more than a month so far and forcing the country to declare a state of ’emergency.

The Russian-based Conti ransomware gang claimed responsibility for the attack, which began on April 12, and threatened to release the stolen information unless it was paid $20 million. Experts who follow Conti’s movements say the group has recently begun shifting its focus from the United States and Europe to countries in Central and South America, possibly to retaliate against nations. who supported Ukraine.

Some experts also believe that Conti feared repression from the United States and was looking for new targets, regardless of politics. The group is responsible for more than 1,000 ransomware attacks worldwide that have generated revenue of more than $150 million, according to Federal Bureau of Investigation estimates.

“Ransomware cartels have found that multinational corporations in the United States and Western Europe are less likely to blink if they have to pay an ungodly sum to run their business,” said Juan Andres Guerrero-Saade, senior threat researcher at Sentinel One. “But at some point you’re going to exploit that space.”

Whatever the reason for the change, the hack showed that Conti was still acting aggressively despite speculation that the gang might be disbanding after being the target of a hacking operation at the start of Russia’s war on the US. ‘Ukraine. The criminal group, which pledged its support to Russia after the invasion, regularly targets businesses and local government agencies by breaking into their systems, encrypting data and demanding a ransom to restore it.

Commenting on the Costa Rica hack, Brett Callow, threat analyst at Emsisoft, said that “this is probably the most significant ransomware attack to date”.

“This is the first time I remember a ransomware attack resulting in the declaration of a national emergency,” he said.

Costa Rica said it refused to pay the ransom.

The hacking campaign took place after Costa Rica’s presidential elections and quickly became a political cudgel. The previous administration downplayed the attack in its first official press releases, describing it as a technical problem and projecting an image of stability and calm. But newly elected president Rodrigo Chaves began his term by declaring a national emergency.

“We are at war,” Mr. Chaves told a news conference on Monday. He said 27 government institutions were impacted by the ransomware attack, nine of them significantly.

The attack began on April 12, according to Mr. Chaves’ administration, when hackers claiming to be affiliated with Conti broke into Costa Rica’s finance ministry, which oversees the country’s tax system. From there, the ransomware spread to other agencies that oversee technology and telecommunications, the government said this month.

Two former finance ministry officials, who were not authorized to speak publicly, say hackers were able to access taxpayer information and disrupt Costa Rica’s tax collection process, forcing the agency to shut down certain databases and to use a nearly 15-year-old system to store the income of its largest taxpayers. Much of the country’s tax revenue comes from a relatively small pool of about a thousand large taxpayers, which allows Costa Rica to continue collecting taxes.

The country is also dependent on exports and the cyberattack has forced customs officers to do their job only on paper. While investigation and collection are ongoing, taxpayers in Costa Rica are forced to file their tax returns in person with financial institutions rather than using online services.

Mr. Chaves is a former World Bank official and finance minister who has promised to shake up the political system. His government declared a state of emergency this month in response to the cyberattack, calling it “unprecedented in the country”.

“We are facing a situation of inevitable catastrophe, public calamity and internal and abnormal unrest which, without extraordinary measures, cannot be controlled by the government,” Chaves’ administration said in its statement. emergency.

The state of emergency allows agencies to act more quickly to address the breach, the government said. But cybersecurity researchers said a partial recovery could take months and the government may never fully recover its data. The government may have backups of some of its taxpayer information, but it would take some time for those backups to come online, and the government should first ensure that it has removed Conti’s access. to its systems, researchers said.

Paying the ransom would not guarantee recovery as Conti and other ransomware groups are known to withhold data even after receiving payment.

“Unless they pay the ransom, which they said they have no intention of doing, or have backups that will allow them to recover their data, they are potentially looking at total and permanent loss. of data,” Callow said.

When Costa Rica refused to pay the ransom, Conti began threatening to leak his data online, posting some files he claimed contained stolen information.

“It is impossible to look at the decisions of the administration of the president of Costa Rica without irony,” the group wrote on its website. “All of this could have been avoided by paying.”

On Saturday, Conti upped the ante by threatening to delete the keys to restore data if he didn’t receive payment within a week.

“With governments, intelligence agencies and diplomatic circles, the debilitating part of the attack really isn’t the ransomware. It’s the data exfiltration,” SentinelOne’s Mr. Guerrero-Saade said. You are in a position where possibly incredibly sensitive information is in the hands of a third party.”

The breach, among other attacks by Conti, led the US State Department to join the Costa Rican government in offering a $10 million reward to anyone who provides information that could identify the group’s top leaders. piracy.

“The group perpetrated a ransomware incident against the Costa Rican government that severely affected the country’s foreign trade by disrupting its customs and tax platforms,” ​​State Department spokesman Ned Price said in a statement. communicated. “By offering this award, the United States is demonstrating its commitment to protecting potential ransomware victims around the world from exploitation by cybercriminals.”

Kate Conger reported from Washington and David Bolaños from San José, Costa Rica.

Ashley C. Reynolds