WASHINGTON – A Russian hacker cartel has carried out an emergency cyber attack against the Costa Rican government, damaging its tax collection and export systems for more than a month and forcing the country to declare a state of emergency.
A gang of ransomware Conti, based in Russia, claimed responsibility for the April 12 attack and threatened to leak stolen information if it was not paid $ 20 million. Experts tracking Konti’s movement said the group had recently begun shifting its focus from the United States and Europe to Central and South America, possibly to avenge countries that support Ukraine.
Some experts also believe that Conti feared repression by the United States and sought new goals, regardless of politics. The Federal Bureau of Investigation estimates the group is responsible for more than 1,000 ransomware attacks worldwide that have resulted in more than $ 150 million in revenue.
“Cartels with extortionist programs have found that multinational companies in the United States and Western Europe are less likely to blink if they have to pay some ungodly amount to start their own business,” said Juan Andres Guerrero-Saade, chief threat researcher. SentinelOne. “But at some point you will use that space.”
Whatever the reason for the shift, Hack showed that Conti continued to act aggressively, despite speculation that the gang could disintegrate after it became the target of a hacking operation in the early days of Russia’s war with Ukraine. The criminal group, which promised support to Russia after the invasion, regularly attacks businesses and local government agencies, hacking into their systems, encrypting data and demanding ransom for their recovery.
On the hacking in Costa Rica, Bret Kelly, an Emsisoft threat analyst, said “this is perhaps the most significant attack by ransomware programs to date.”
“This is the first time I can recall the ransomware attack that declared a state of emergency in the country,” he said.
Costa Rica has said it has refused to pay the ransom.
The hacking campaign took place after the presidential election in Costa Rica and quickly became a political club. The previous administration in its first official news releases downplayed the attack, portraying it as a technical problem and creating an image of stability and calm. But President-elect Rodrigo Chavez began his term by declaring a state of emergency in the country.
“We are at war,” Mr Chavez told a news conference on Monday. He said 27 government agencies had been attacked by ransomware programs, nine of them significantly.
According to Mr Chavez’s administration, the attack began on April 12, when hackers claiming to be linked to Conti stormed Costa Rica’s finance ministry, which oversees the country’s tax system. From there, the ransomware program has spread to other agencies overseeing technology and telecommunications, the government said this month.
Two former Treasury Department officials, who were barred from speaking publicly, said hackers had gained access to taxpayer information and disrupted Costa Rica’s tax collection process, forcing the agency to close some databases and take advantage of a nearly 15-year revenue storage system. from the largest taxpayers. Most of the country’s tax revenue comes from a relatively small union of about a thousand major taxpayers, allowing Costa Rica to continue collecting taxes.
The country is also betting on exports, and the cyber attack has forced customs officers to do their job solely on paper. While an investigation and recovery is underway, taxpayers in Costa Rica are forced to file tax returns in person at financial institutions rather than relying on online services.
Mr Chavez is a former World Bank official and finance minister who has vowed to shake up the political system. His government declared a state of emergency this month in response to the cyber attack, calling it “unprecedented in the country.”
“We are facing a situation of imminent catastrophe, social disaster and internal and abnormal unrest, which cannot be controlled by the government without extraordinary measures,” the Chavez administration said in a statement.
The government said the state of emergency allowed agencies to act faster to eliminate the violation. But cybersecurity researchers said a partial recovery could take months and that the government may never recover its data. The government may have backups of some taxpayer information, but it will take some time for those backups to appear online, and the government must first make sure it has removed Conti’s access to its systems, the researchers said.
Russian-Ukrainian war: major events
In Mariupol. The bloodiest battle of the war in Ukraine ended in Mariupol, as the Ukrainian military ordered the fighters who hid at the capital’s plant in the city to surrender. Ukraine’s decision to cease hostilities has given Moscow full control over the vast territory of southern Ukraine, which stretches from Russia’s border with Crimea.
Paying a ransom would not guarantee a recovery because Conti and other groups of ransomware are known to withhold data even after receiving payment.
“If they don’t pay the ransom, which they said they don’t intend to do, or don’t have backups that will allow them to recover their data, they are potentially expecting a complete loss of data,” Mr Callow said.
When Costa Rica refused to pay the ransom, Conti began threatening to leak its data online by posting some files that allegedly contained stolen information.
“It is impossible to look at the decisions of the Costa Rican presidential administration without irony,” the group wrote on its website. “All of this could have been avoided by paying.”
On Saturday, Conti raised rates, threatening to remove keys to recover data if it does not receive payment within a week.
“With governments, intelligence services and diplomatic circles, the grueling part of the attack is not really an extortionist. This is an exfoliation of data, ”said Mr. Guerrero-Saade of SentinelOne. “You are in a position where incredibly confidential information is supposed to be in the hands of a third party.”
The hacking, among other attacks committed by Conti, forced the U.S. State Department to team up with the Costa Rican government to offer a reward of $ 10 million to anyone who provided information that led to the identification of key leaders of the hacker group.
“The group committed an incident with a ransomware program against the Costa Rican government that seriously affected the country’s foreign trade by violating customs and tax platforms,” State Department spokesman Ned Price said in a statement. “By offering this award, the United States is demonstrating its commitment to protecting potential victims of ransomware programs around the world from being exploited by cybercriminals.”
Kate Conger reported from Washington, and David Balañas from San Jose, Costa Rica.