The Russia-based hacker group Conti’s cyberattack on Costa Rica continues to metastasize, spreading to 27 government institutions.
Big things are happening in the small Central American country of Costa Rica that could end up having global repercussions. In April the country suffered a crippling ransomware attack against its finance ministry. Weeks later, the country’s incoming President (and former World Bank economist) Rodrigo Chaves Robles announced that Costa Rica is now locked in a digital war with Conti, a Russia-based group of hackers.
“We’re at war and this is not an exaggeration,” Chaves said in his inaugural speech on May 8. The war, Chaves continued, “is against an international terrorist group, which apparently has operatives in Costa Rica. There are very clear indications that people inside the country are collaborating with Conti.”
This is a powerful statement coming from the head of state of a country that hasn’t had a standing army since 1948 and which prides itself on its peaceful nature. Together with Panama, Costa Rica is one of only two countries in Latin America that doesn’t have an army of its own. This means it is disproportionately dependent on US “assistance” in security matters (h/t Jacob Hatch).
In recent weeks the Conti cyberattack has continued to metastasize, spreading to 27 government institutions, nine of which have been “seriously affected,” according to Chaves. The departments targeted include the treasury, labor ministry, tax administration and the social security fund. The hackers have also brought down certain parts of Costa Rica’s electrical grid and have threatened to target private businesses in the country if the government doesn’t cough up.
Most importantly, the hackers have hijacked the Finance Ministry’s tax filing and foreign trade systems. As a result, the Ministry has been unable to digitally collect tax payments and customs receipts since April 18. It is also unable to verify budget results without use of its online services. Over a month after the initial attack, only some of the services have been restored.
When the attack began Chaves’ predecessor, Carlos Alvarado Quesada, refused to pay the $10 million ransom demanded by Conti. In response, Conti released 97% of the data it had infiltrated while doubling their initial ransom demand to $20 million. If that is not paid, they say they will bring down the Chaves government by scrapping the decryption keys that would reactivate government systems, plunging the country’s IT systems into chaos and further crippling the economy. Conti has also threatened to publish the forty-six remaining gigabytes of classified information online from highly sensitive departments of Costa Rica’s government.
The attacks have already had an “enormous” impact on foreign trade and tax collections in the country, said Chaves. According to a BBC World article (in Spanish), dozens of millions of dollars have already been lost as a result, which is a lot of money for a country with a GDP of just $61 billion.
Who Is the Conti Group?
The ransomware used in the attack, Conti, is believed to be distributed by the Conti Group, which is based in Russia but has members around the world, including, ironically, in Ukraine. According to the cyber security company Recorded Future, one of the gang’s Ukrainian members leaked internal chats after the group’s leaders posted an aggressive pro-Russian message on their official site after Russia’s invasion of Ukraine. The leaked messages suggest that Conti operates much like a regular company, with salaried employees, bonuses and performance reviews.
The US Department of State estimates that Conti has extracted more than $150 million in over a thousand ransom payments, making it the most expensive ransomware variant ever known. Here’s more from the National Interest‘s Paul Brian:
Russia-based Conti is one of the most effective ransomware gangs in the world and has extracted huge sums from targets in every place and industry imaginable. It made waves for launching a devastating broadside in May of last year against Ireland’s health services, causing weeks of severe disruptions and an estimated $48 million in recovery costs. Ireland never paid the $20 million the group demanded at that time, and it is not fully clear how the Irish saved their system from the ransomware threats without paying.
As Marco Figueroa observed: “This group has shown itself to be a multi-layered organization that takes time to encrypt endpoints, servers, and backups. This complete control adds pressure to the victims to pay the ransom requested from Conti.”
The Conti gang is given free rein by the Putin administration and has largely evaded any serious consequences inside Russia for its criminal actions. While the closeness of its ties to Russia’s FSB security architecture and Cozy Bear (APT29) hackers remain in question, disclosed chat logs show that the group has agreed not to cross Russia’s geopolitical interests in return for the authorities turning a blind eye. The group has members in various countries outside Russia, and not all agree with the pro-Putin stand, but its general thrust is pro-Russian.
Why Costa Rica?
The attack against Costa Rica is widely believed to be financially driven. Costa Rica would certainly make for a curious choice of target for a state-directed cyberattack given the country has not had an army for 73 years. That said, the country has digitized its government services more rapidly than most of its Central American peers, although it has not invested nearly as much money in cyber security than more advanced economies, making it an easy target for the likes of Conti.
The Costa Rican government is also one of a small handful of Latin American countries to have agreed to apply US and EU sanctions against Russia within its financial system. It has also suspended broadcasts of Russian state-backed media outlet RT.
It is also worth noting that at the outbreak of the proxy war in Ukraine, the Conti group threatened to deploy “retaliatory measures” if cyber attacks are launched “against critical infrastructure in Russia or any Russian speaking region of the world.” As I noted in a previous article, Russian infrastructure has been inundated with cyber attacks, albeit mostly aimed at hacking and releasing valuable or compromising information.
Hacktivist group Anonymous has coordinated numerous attacks on Russian targets. The hacktivist group DDoSecrets, which specializes in hacking and then publishing compromising data, has amassed dozens of Russian datasets. Its targets have included Roskomnadzor, an agency that monitors and censors mass media; Transneft, the world’s largest oil pipeline company; Rosatom, the state nuclear energy agency; the Russian Orthodox Church’s charitable wing and the Russian Central Bank.
Russian President Vladimir Putin himself recently acknowledged the growing frequency of these sorts of attacks. On Friday, he told the country’s security council that the number of cyber attacks on Russia by foreign “state structures” has increased several times over since Russia’s invasion of Ukraine. The websites of many state-owned companies and news websites have suffered sporadic hacking attempts since Russia sent its armed forces into Ukraine on Feb. 24.
“Targeted attempts are being made to disable the internet resources of Russia’s critical information infrastructure,” Putin said, adding that media and financial institutions as well as government institutions have been targeted. “Serious attacks have been launched against the official sites of government agencies. Attempts to illegally penetrate the corporate networks of leading Russian companies are much more frequent as well.”
Raising the Stakes
On April 22, just days after Conti’s first wave of attacks against Costa Rica, cybersecurity authorities from the so-called “Five Eye” nations (United States, United Kingdom, Australia, Canada and New Zealand) released a joint statement on Thursday warning that more malicious cyber activity is on the way as Russia’s invasion of Ukraine continues to undermine geopolitical stability. As I noted at the time, the statement should be treated with a certain amount of skepticism given:
- Both the US and the UK are among the primary antagonists in NATO’s ongoing war with Russia;
- They both have significant offensive cyber war capabilities of their own;
US intelligence agencies, at Obama’s behest, have drawn up a list of potential overseas targets for cyber attacks;
- Both countries have surreptitiously conducted vast surveillance programs, targeting not only their own populations but also citizens and government leaders of other countries;
- The world right now is in the grip of the biggest information war of this century.
In recent days, the UK government has raised the stakes even further by suggesting that defensive cyber attacks against hostile nation-states may be justified, as long as agreement can be reached in the so-called “international community” on the cyber rules of engagement. In an interview with the Daily Telegraph given before a scheduled speech on the topic at Chatham House, the UK’s Attorney General Braverman asserted that established international law applies to cyber warfare just as it does to kinetic warfare, where principles of non-intervention allow countries to take defensive countermeasures against aggression:
The United Kingdom’s aim is to ensure that future frontiers evolve in a way that reflects our democratic values and interests and those of our allies
The law needs to be clear and well understood if it is to be part of a framework for governing international relations and to rein in irresponsible cyber behaviour. Setting out more detail on what constitutes unlawful activity by states will bring greater clarity about when certain types of robust measures are justified in response.
This sort of rhetoric, which is essentially an argument for preemptive cyber war, risks taking the world down an even more dangerous path than it is already upon, especially given the threat potentially posed by “false flag” cyberattacks. As Wikileaks’ “Vault 7” series of leaks from 2017 revealed, the CIA has gone to great lengths to disguise its own hacking attacks and, when necessary, point the finger at hostile nations like Russia, China, North Korea and Iran:
The CIA’s hand crafted hacking techniques pose a problem for the agency. Each technique it has created forms a “fingerprint” that can be used by forensic investigators to attribute multiple different attacks to the same entity.
This is analogous to finding the same distinctive knife wound on multiple separate murder victims. The unique wounding style creates suspicion that a single murderer is responsible. As soon one murder in the set is solved then the other murders also find likely attribution.
The CIA’s Remote Devices Branch’s UMBRAGE group collects and maintains a substantial library of attack techniques ‘stolen’ from malware produced in other states including the Russian Federation.
With UMBRAGE and related projects the CIA cannot only increase its total number of attack types but also misdirect attribution by leaving behind the “fingerprints” of the groups that the attack techniques were stolen from.
Conti has also targeted the Peruvian government recently, pulling off a successful hack of the nation’s intelligence agency on April 27. The group is demanding an unspecified amount of money in exchange for not releasing troves of classified information and not carrying out further attacks. They have also threatened to shut down Peru’s water supply and electricity if Lima doesn’t agree to pay the ransom.
Latin America has long been susceptible to cyber attacks, recording three times more attacks via mobile browsers than the global average in the first half of 2020. Some of the attacks have been pretty audacious, including a $20 million heist of Bank of Mexico’s interbank electronic payment system and Anonymous’ hack of Brazilian government websites during the 2016 Summer Olympics in Rio de Janeiro.
But Conti’s cyber attack against Costa Rica is on a whole different scale. Now, it seems that a small group of cyber criminals can effectively hold the government of an entire nation hostage. As Brian points out, “when one group of hackers can hold an entire nation hostage and humiliate it on the global stage, the problem and implications are very serious indeed.” One of those implications is that the boundaries of the cyber war between Russia and NATO could end up spreading to Latin America, if it hasn’t already.