Costa Rica, A Country Without an Army, Is At War With (Mainly) Russian Hackers

The Russia-based hacker group Conti’s cyberattack on Costa Rica continues to metastasize, spreading to 27 government institutions.

Big things are happening in the small Central American country of Costa Rica that could end up having global repercussions. In April the country suffered a crippling ransomware attack against its finance ministry. Weeks later, the country’s incoming President (and former World Bank economist) Rodrigo Chaves Robles announced that Costa Rica is now locked in a digital war with Conti, a Russia-based group of hackers.

“We’re at war and this is not an exaggeration,” Chaves said in his inaugural speech on May 8. The war, Chaves continued, “is against an international terrorist group, which apparently has operatives in Costa Rica. There are very clear indications that people inside the country are collaborating with Conti.”

This is a powerful statement coming from the head of state of a country that hasn’t had a standing army since 1948 and which prides itself on its peaceful nature. Together with Panama, Costa Rica is one of only two countries in Latin America that doesn’t have an army of its own. This means it is disproportionately dependent on US “assistance” in security matters (h/t Jacob Hatch).

Metastasis

In recent weeks the Conti cyberattack has continued to metastasize, spreading to 27 government institutions, nine of which have been “seriously affected,” according to Chaves. The departments targeted include the treasury, labor ministry, tax administration and the social security fund. The hackers have also brought down certain parts of Costa Rica’s electrical grid and have threatened to target private businesses in the country if the government doesn’t cough up.

Most importantly, the hackers have hijacked the Finance Ministry’s tax filing and foreign trade systems. As a result, the Ministry has been unable to digitally collect tax payments and customs receipts since April 18. It is also unable to verify budget results without use of its online services. Over a month after the initial attack, only some of the services have been restored.

When the attack began Chaves’ predecessor, Carlos Alvarado Quesada, refused to pay the $10 million ransom demanded by Conti. In response, Conti released 97% of the data it had infiltrated while doubling their initial ransom demand to $20 million. If that is not paid, they say they will bring down the Chaves government by scrapping the decryption keys that would reactivate government systems, plunging the country’s IT systems into chaos and further crippling the economy. Conti has also threatened to publish the forty-six remaining gigabytes of classified information online from highly sensitive departments of Costa Rica’s government.

The attacks have already had an “enormous” impact on foreign trade and tax collections in the country, said Chaves. According to a BBC World article (in Spanish), dozens of millions of dollars have already been lost as a result, which is a lot of money for a country with a GDP of just $61 billion.

Who Is the Conti Group?

The ransomware used in the attack, Conti, is believed to be distributed by the Conti Group, which is based in Russia but has members around the world, including, ironically, in Ukraine. According to the cyber security company Recorded Future, one of the gang’s Ukrainian members leaked internal chats after the group’s leaders posted an aggressive pro-Russian message on their official site after Russia’s invasion of Ukraine. The leaked messages suggest that Conti operates much like a regular company, with salaried employees, bonuses and performance reviews.

The US Department of State estimates that Conti has extracted more than $150 million in over a thousand ransom payments, making it the most expensive ransomware variant ever known. Here’s more from the National Interests Paul Brian:

Russia-based Conti is one of the most effective ransomware gangs in the world and has extracted huge sums from targets in every place and industry imaginable. It made waves for launching a devastating broadside in May of last year against Ireland’s health services, causing weeks of severe disruptions and an estimated $48 million in recovery costs. Ireland never paid the $20 million the group demanded at that time, and it is not fully clear how the Irish saved their system from the ransomware threats without paying.

As Marco Figueroa observed: “This group has shown itself to be a multi-layered organization that takes time to encrypt endpoints, servers, and backups. This complete control adds pressure to the victims to pay the ransom requested from Conti.”

The Conti gang is given free rein by the Putin administration and has largely evaded any serious consequences inside Russia for its criminal actions. While the closeness of its ties to Russia’s FSB security architecture and Cozy Bear (APT29) hackers remain in question, disclosed chat logs show that the group has agreed not to cross Russia’s geopolitical interests in return for the authorities turning a blind eye. The group has members in various countries outside Russia, and not all agree with the pro-Putin stand, but its general thrust is pro-Russian.

Why Costa Rica?

The attack against Costa Rica is widely believed to be financially driven. Costa Rica would certainly make for a curious choice of target for a state-directed cyberattack given the country has not had an army for 73 years. That said, the country has digitized its government services more rapidly than most of its Central American peers, although it has not invested nearly as much money in cyber security than more advanced economies, making it an easy target for the likes of Conti.

The Costa Rican government is also one of a small handful of Latin American countries to have agreed to apply US and EU sanctions against Russia within its financial system. It has also suspended broadcasts of Russian state-backed media outlet RT.

It is also worth noting that at the outbreak of the proxy war in Ukraine, the Conti group threatened to deploy “retaliatory measures” if cyber attacks are launched “against critical infrastructure in Russia or any Russian speaking region of the world.” As I noted in a previous article, Russian infrastructure has been inundated with cyber attacks, albeit mostly aimed at hacking and releasing valuable or compromising information.

Hacktivist group Anonymous has coordinated numerous attacks on Russian targets. The hacktivist group DDoSecrets, which specializes in hacking and then publishing compromising data, has amassed dozens of Russian datasets. Its targets have included Roskomnadzor, an agency that monitors and censors mass media; Transneft, the world’s largest oil pipeline company; Rosatom, the state nuclear energy agency; the Russian Orthodox Church’s charitable wing and the Russian Central Bank.

Russian President Vladimir Putin himself recently acknowledged the growing frequency of these sorts of attacks. On Friday, he told the country’s security council that the number of cyber attacks on Russia by foreign “state structures” has increased several times over since Russia’s invasion of Ukraine. The websites of many state-owned companies and news websites have suffered sporadic hacking attempts since Russia sent its armed forces into Ukraine on Feb. 24.

“Targeted attempts are being made to disable the internet resources of Russia’s critical information infrastructure,” Putin said, adding that media and financial institutions as well as government institutions have been targeted. “Serious attacks have been launched against the official sites of government agencies. Attempts to illegally penetrate the corporate networks of leading Russian companies are much more frequent as well.”

Raising the Stakes

On April 22, just days after Conti’s first wave of attacks against Costa Rica, cybersecurity authorities from the so-called “Five Eye” nations (United States, United Kingdom, Australia, Canada and New Zealand) released a joint statement on Thursday warning that more malicious cyber activity is on the way as Russia’s invasion of Ukraine continues to undermine geopolitical stability. As I noted at the time, the statement should be treated with a certain amount of skepticism given:

  • Both the US and the UK are among the primary antagonists in NATO’s ongoing war with Russia;
  • They both have significant offensive cyber war capabilities of their own;
    US intelligence agencies, at Obama’s behest, have drawn up a list of potential overseas targets for cyber attacks;
  • Both countries have surreptitiously conducted vast surveillance programs, targeting not only their own populations but also citizens and government leaders of other countries;
  • The world right now is in the grip of the biggest information war of this century.

In recent days, the UK government has raised the stakes even further by suggesting that defensive cyber attacks against hostile nation-states may be justified, as long as agreement can be reached in the so-called “international community” on the cyber rules of engagement. In an interview with the Daily Telegraph given before a scheduled speech on the topic at Chatham House, the UK’s Attorney General Braverman asserted that established international law applies to cyber warfare just as it does to kinetic warfare, where principles of non-intervention allow countries to take defensive countermeasures against aggression:

The United Kingdom’s aim is to ensure that future frontiers evolve in a way that reflects our democratic values and interests and those of our allies

The law needs to be clear and well understood if it is to be part of a framework for governing international relations and to rein in irresponsible cyber behaviour. Setting out more detail on what constitutes unlawful activity by states will bring greater clarity about when certain types of robust measures are justified in response.

This sort of rhetoric, which is essentially an argument for preemptive cyber war, risks taking the world down an even more dangerous path than it is already upon, especially given the threat potentially posed by “false flag” cyberattacks. As Wikileaks’ “Vault 7” series of leaks from 2017 revealed, the CIA has gone to great lengths to disguise its own hacking attacks and, when necessary, point the finger at hostile nations like Russia, China, North Korea and Iran:

The CIA’s hand crafted hacking techniques pose a problem for the agency. Each technique it has created forms a “fingerprint” that can be used by forensic investigators to attribute multiple different attacks to the same entity.

This is analogous to finding the same distinctive knife wound on multiple separate murder victims. The unique wounding style creates suspicion that a single murderer is responsible. As soon one murder in the set is solved then the other murders also find likely attribution.

The CIA’s Remote Devices Branch’s UMBRAGE group collects and maintains a substantial library of attack techniques ‘stolen’ from malware produced in other states including the Russian Federation.

With UMBRAGE and related projects the CIA cannot only increase its total number of attack types but also misdirect attribution by leaving behind the “fingerprints” of the groups that the attack techniques were stolen from.

Conti has also targeted the Peruvian government recently, pulling off a successful hack of the nation’s intelligence agency on April 27. The group is demanding an unspecified amount of money in exchange for not releasing troves of classified information and not carrying out further attacks. They have also threatened to shut down Peru’s water supply and electricity if Lima doesn’t agree to pay the ransom.

Latin America has long been susceptible to cyber attacks, recording three times more attacks via mobile browsers than the global average in the first half of 2020. Some of the attacks have been pretty audacious, including a $20 million heist of Bank of Mexico’s interbank electronic payment system and Anonymous’ hack of Brazilian government websites during the 2016 Summer Olympics in Rio de Janeiro.

But Conti’s cyber attack against Costa Rica is on a whole different scale. Now, it seems that a small group of cyber criminals can effectively hold the government of an entire nation hostage. As Brian points out, “when one group of hackers can hold an entire nation hostage and humiliate it on the global stage, the problem and implications are very serious indeed.” One of those implications is that the boundaries of the cyber war between Russia and NATO could end up spreading to Latin America, if it hasn’t already. 

Print Friendly, PDF & Email

20 comments

  1. lyman alpha blob

    Interesting how these issues are almost always framed. It sure sounds like we don’t really know a whole lot about Conti other than it’s based in Russia, whatever that means, since no information is given on how that is known. We don’t have the names of any of its members, we don’t know how much if any money they make from their attacks – all we have are State department estimates. And $150 million over a thousand attacks doesn’t sound like much considering what is supposedly being hacked. If it were me, I’d be asking for a lot more if I had a whole sovereign nation tied up. And yet we have this –

    “The Conti gang is given free rein by the Putin administration and has largely evaded any serious consequences inside Russia for its criminal actions.”

    Later we’re told that Anonymous has attacked Russian targets, again with no details as to how we know this. Would it follow that Anonymous has been given free reign by the Biden administration?

    Yesterday there was a link about a Canadian teenager who hacked into a crypto exchange. There were all kinds of details as to how it was done and how they found out exactly who was responsible – a precocious teenager who is apparently on the run. The authorities were unable to apprehend him despite knowing all the details of the crime (but is it really a crime to hack anything crypto-related?) and exactly who the perpetrator was.

    But this author mentions the in the elephant in the room which most stories on thos subject leave out – wikileaks Vault 7 release. With that out there, how can anyone really know who is doing any of this?

    1. Nick Corbishley Post author

      Thanks for that much-needed clarification, Jacob. The fact that Costa Rica doesn’t have its own standing army makes it disproportionately dependent on US assistance in security matters. In fact, right now US, Israeli and Spanish government agencies are all “helping” to protect and restore CR’s IT systems.

    2. Carolinian

      So if they are US allies shouldn’t our crack NSA be down there defending them? Or is the problem more related to software from a certain company in Seattle?

      At any rate cyber world war seems like the last thing we need at the moment.

  2. The Rev Kev

    OK then, using the data points in this post your Rev is going to run a theory up a flag-post and sees if anybody salutes it. I think that we can agree that the Ukrainian war is actually a proxy war between Russia and the “western” world. With the constant escalation over the past three months, it could always have developed into a full scale cyber war and you can imagine how that could play itself out where you live. Nick states that Anonymous – who seems to work for the establishment these days – ‘has coordinated numerous attacks on Russian targets.’ And he mentions that the UK may have been keen on this cyber war because what could possibly go wrong? Also, the Conti group threatened to deploy “retaliatory measures” if cyber attacks are launched “against critical infrastructure in Russia or any Russian speaking region of the world.”

    Let us put this altogether. So what if, what if, Russia let this attack in Puerto Rico go ahead and did not crack down on Conti in Russia. Why would they do that? To make that country a warning of what would happen if the west launched a massive cyber strike on Russia. To be brutal about it, killing a chicken to frighten the monkeys. Puerto Rico has a mild climate so the people will not freeze to death. More to the point, they made themselves a target when they were one of the few Latin American countries ‘to have agreed to apply US and EU sanctions against Russia within its financial system.’ If Russia had let this happen to say Oregon, it would have invited an immediate escalation but Puerto Rico? Being – kinda – a part of the US you would expect that the US would have defended them online but since they have not, it would suggest that they can’t. Yes, Puerto Rico is suffering but it may be that in doing so, it prevents the first global cyber war. Maybe.

    1. IsabelPS

      “I think that we can agree that the Ukrainian war is actually a proxy war between Russia and the “western” world.”
      Who is “we”? :-)

      1. The Rev Kev

        My mistake. I was trying to mentally put all these pieces together in my mind last night and somehow transposed Puerto Rico with Costa Rica. However, the point I think is still valid. That Costa Rica is being used as an object lesson for the US/EU not to launch a cyber-war as the fallout from that would be catastrophic.

    2. rob

      there would also be the possibility that it’s the CIA attacking costa rica, and the ruse is that it is “the conti group”…aka russians.

      this way the US has no skin in the game, and this “un-provoked” ATTACK!!!… (of costa rica by the CIA , as shown in the vault 7 releases,that it can leave “other’s” fingerprints, for the forensic teams to find)….by RUSSIA/via the conti group.. can be used as a pretext to some other form of “crackdown”, or erosion of privacy for everyone on the planet.

      after all, between annapolis,MD and fredericksburg ,VA… there are alot of “patriots” just sharpening their knives,perfecting their wares…

  3. Tom Stone

    Unintended consequences can bite.
    It’s not just Costa Rica, CR is ripe, low hanging fruit so it was among the first harvested.
    California’s Electrical grid is wide open, those pumps that send water over the Tehechapi’s are also connected to the net and vulnerable.
    How about all those bluetooth connected luxury cars?
    Threaten to brick every Mercedes and BMW unless they pungle up enough cash for lunch at the four seasons…
    or just brick them if the Germans become too rude.
    We’re about to find out just how fragile “Civilization” is.

  4. super extra

    Thank you for this post, Nick.

    I think it is notable that nobody who experiences these attacks apparently is willing to consider taking some of these services offline permanently and making a targeted program of dedigitizing/air-gapping/rethinking of their various IT systems. I understand the reality of multi-year IT and implementation contracts and how international IT/software companies work their hooks into their customers, and how this can be combined with trade law in some very nefarious ways. But what I don’t understand is why there hasn’t been a concerted effort to begin even an exploration of a program like this to protect states or companies from these attacks. Unless, of course, the idea of rolling back that stuff is anathema for other reasons, like guaranteed back doors for a certain state further north that were bured in trade/technology sharing agreements a while back.

    1. Jacob Hatch

      These resources have nearly all been sold to multinationals, who want an exact titer of every drop of water, peso, or toilet flush, etc, all delivered to their billing software in Delaware or some other convenient money wash. They also want to lay off every possible worker, no matter how cheaply paid, and replace them with automation. The former is exactly why Colonial Pipeline shutdown, the pipeline equipment was functioning just fine, but the billing/metering was compromised. The later is why Costa Rica has much of a nature reserve coated in oil 3″ deep. So you can see air-gapping isn’t a thing to be considered. Das Capital.

    2. PlutoniumKun

      Having in the past tried to make exactly this argument during a digitisation process at work, its incredibly hard to persuade people entranced by computers that a simple thing like paper based and manual back ups are essential to maintain the robustness of any system. I don’t think there is any malign reason behind it, its more the MBA mindset that online systems = efficiency and anyone arguing otherwise is just an old fossil or worse still, a socialist.

      Its not just a case of security – I’ve frequently seen serious errors repeated over and over because some item of information was incorrectly inputted at some stage and therefore became ‘gospel’, repeated over and over again without anyone questioning its accuracy. Everyone is doing the same data search and coming up with identical answers, and nobody is catching first order errors in the information. This is one reason why purely geographical databases (increasingly popular for a multitude of uses) can lead to huge errors which are only caught when someone goes and digs a hole and finds something that wasn’t supposed to be there (according to the database).

      Of course, even paper databases need backups. Pretty much the entire Irish records system was blown up in the Irish Civil War in 1921 (this has been the bane of Irish historians for decades), but its only now, a century later, has it been realised that for a variety of reasons copies were made, and the original records can be reconstructed.

      1. liam

        I don’t think there is any malign reason behind it, its more the MBA mindset that online systems = efficiency and anyone arguing otherwise is just an old fossil or worse still, a socialist.

        I don’t think this is unique to those with an MBA hue. People are generally enthralled by shiny things. The oooh! factor. Witness the complete willingness to give up on privacy for their flashy surveillance devices. We think we’re sophisticated. In reality, the conquistadors have arrived with shiny beads.

      2. Frithiof Andreas Jensen

        I don’t think there is any malign reason behind it, its more the MBA mindset that online systems = efficiency and anyone arguing otherwise is just an old fossil or worse still, a socialist.

        I think one of the scary things revealed by the corona pandemic is the abundance of high-functioning morons everywhere.

        These people can learn how to do something, even do it well enough to make a decent career out of it, but, they cannot comprehend anything beyond the scope of their knowledge, maybe because they are already loaded up to full capacity. Or maybe they are never really thinking but only pattern-matching and repeating what they remember, like some kind of fleshy robot.

        I have had some really extraordinarily strange arguments with people being adamant that some type of equipment is really some other kind they happen to know, so, therefore it should be treated similarly and on and on. Those peoples way of working, and spreading chaos, and never quitting a lost battle, and then getting the regulators all fired up, that can be explained by this model.

        When one sees the pattern, it cannot be un-seen, and then one is no longer “management material”.

  5. Mikel

    Everybody is already a hostage to the grid.
    The cyber terrorists are just amplifying it.

    Yes, Virginia -you damn fool – a back up plan and system for ultimate “cyber security” is OFF LINE.

    As for the release of informatiin already collected – that’s called “you put yourself in a trick bag.”

    And tell me the difference again between “cyber security” and “ransom ware”?

  6. orlbucfan

    BTW, China has a good sized economic footprint in CR. I have 2 long-time friends who are both now permanent residents of the country. They are apolitical, and do not have a dawg in the Amurika vs. Russkies fight. I am so burned out on “high” tech, “old fashioned” words fail me.

  7. podcastkid

    Stupid omnipresent macro thing just wiped out a para…when I hit it some way I’ve forgotten…space bar I think, tab doesn’t work with the thing either.

    My knowledge of subj is rudimentary. Like Rob I don’t understand how anything can be traced after Vault 7 leak, but maybe there are new tools that haven’t been leaked? (I will scan over article again)

    Everyone after super extra and including SE seems pretty brilliant. Cool to read yall.

    I think in that first big hit from Hazel Henderson she mentioned “labor intensive”? Air gapping and labor intensive…that’s what Greens need to mention. Or People’s Party. Plus real deal on Ukraine. Plus real deal on VAERS.

    Thanks, yall. You’re appreciated.

  8. Khanz

    I would like to update a news that the head of Anonymous group Killmilk confirmed that the cyberattacks under the name of Anonymous are by hackers associated with the governments of NATO countries. He said “the real Anonymous will never work for the government” so there is no reason they have to follow NATO’s campaign.

    More than 100 hackers of “true” Anonymous contacted KillNet to inform about the split within Anonymous since most of them are on Russia’s side, not on the opposite one.

Comments are closed.