Jorge Mora, head of digital governance for Costa Rica, received a message in April from one of his officials: “We couldn’t contain it and they have encrypted the servers. We have disconnected the entire ministry.”
I was being updated on a harrowing cyberattack by a notorious Russian ransomware group called Conti, which began in the Central American country’s finance ministry and eventually caught 27 different ministries in a series of interlinked attacks that played out over weeks.
The attack was “impressive in its scope,” according to a Western official. Hackers often manage to gain access to individual systems, but the Costa Rican case highlights the risk weak cybersecurity poses to a nation’s entire IT infrastructure. In Costa Rica, Conti had spent weeks, if not months, tunneling into his government systems, jumping from one ministry to another.
Conti offered to return the data: at a price of up to $20 million. But the Costa Rican government refused to pay the ransom. Instead, newly installed President Rodrigo Chaves declared a national emergency, launched a hunt for suspected “traitors,” and leaned on more tech-savvy allies like the US and Spain to come to his aid.
“We are at war, and that is not an exaggeration,” Chaves said in the days after his inauguration in mid-May, blaming the previous administration for hiding the true extent of the disturbance, which he likened to terrorism.
The standoff left parts of Costa Rica’s digital infrastructure crippled for months, crippling online tax collection, disrupting public health care and the payment of some public sector workers.
Meanwhile, Costa Rica’s shadowy torturers were a spent force, victims of geopolitical rivalries in the piracy world that had been inflamed by the war in Ukraine. After declaring support for the Russian invasion on February 24, the group was betrayed by one of its members, allegedly a Ukrainian hacker for hire, who leaked its tools, internal chats, and other secrets online in retaliation.
While Costa Rica continues to deal with the fallout from the cyberattack, much of Conti had vanished after the leak, according to Toby Lewis, head of threat analysis at Darktrace, a cybersecurity firm.
“At the beginning of 2022, we were ready for another year for a group like Conti in their prime, making pretty significant sums of money,” Lewis said. “When Russia invaded Ukraine, everything ended. Supporting Russia was, in commercial terms, the worst decision they could have made.”
Conti’s most shocking attack turned out to be his last. In late June, Conti’s public website, where she had mocked Costa Rica and other victims, was shut down, as was her dark web trading site, security researchers said.
As the attacks unfolded, Mora said his team slept just four hours a night for almost a month to slow the advance of hackers in other ministries. Spain shipped its own ransomware protection software, MicroClaudia, which was developed by its National Cryptologic Center.
The US sent teams to help, with donated software and expertise from Microsoft, IBM and Cisco, and the US state department offered a reward of up to $15 million to bring Conti or his supporters to justice.
Rejecting Chaves’ criticism, Mora said that without his pace of work and cooperation after the attack, “we would have had 50 cases like the Ministry of Finance.”
But Costa Rica’s efforts to regain control of its IT systems coincided with Conti’s demise, further complicating its efforts. A Western official who has been briefed on the investigations said that even if Chaves had agreed to pay the ransom, which ranged from $20 million to $1 million, “it is not clear who was on the other side of the line. By June, no one was answering the phone, figuratively speaking.”
“Conti in Costa Rica was a last desperate attempt to get some kind of title, some buzz about his actions,” said Shmuel Gihon, a security researcher at Israel-based Cyberint.
Once estimated at some 400 hackers plus an unknown number of affiliates renting his toolkit, which by 2021 had given the Russian hacking affiliate hundreds of millions of dollars in cryptocurrency from at least 600 targets, Conti was soon reduced to a few dozen in just a few weeks. after the attack in Costa Rica.
But there are signs that it is regrouping in different ways. This includes a group called BlackBasta, which within a few months of emerging has grown to 50 organizations. Security researchers say the speed of their attacks suggests that Conti defectors had brought their knowledge of their victim’s IT infrastructure to BlackBasta.
Meanwhile, Costa Rica continues to deal with the fallout from the April hack. As with all successful ransomware attacks, there is no way to decrypt your own data without a key from your attackers: most systems must be rebuilt from scratch, with backups checked to make sure they don’t include the original malware. That process can take months, if not a year or two.
Until recently, the country’s customs systems had to resort to using paper and email, which slowed down the entire process, said Mónica Segnini, president of Grupo Desacarga, a company that provides import and export services.
“It means you pay more for containers that have to sit for days in yards that haven’t been used in years,” he said, adding that the company was paying its corporate taxes voluntarily but there were no checks. “We are operating in a gray area.”
A senior government official said that many of the finance ministry’s systems have now been restored, including those for customs and wages.
For Costa Ricans like Alejandra, 65, who suffers from a mental disability, medical treatment is being delayed, her husband said in an interview. Doctors can’t access her previous MRI and must now wait until they have access to it, he said.
Zulma Monge, a science teacher and academic coordinator at a technical college in a low-income district in the northeast of the city, is paid 400,000 colones less than what she is owed because the system cannot handle the overtime.
She is using her savings to pay for her two children’s education and the costs of her own second career. “This has never happened before,” she said, “in the [ministry] they are not giving us answers about when the money owed will be paid.”
The process of preventing new attacks has not been entirely smooth either, admitted Carlos Alvarado Briceño, minister in charge of Science, Innovation, Technology and Telecommunications.
Another hacker group called Hive attacked the country’s social security services: the Spanish government’s defensive software had barely been deployed, with only 13 units out of 20,000 installed.
“Obviously the president was worried, and he was also very upset. . . We already had at least some tools to be able to contain it and it did not happen,” said Alvarado Briceño. “Our country in the past had not taken this issue as seriously as required. What is the lesson learned? Do not skimp on having the necessary cybersecurity in all institutions”.