A Costa Rica cyber attack is currently underway, with two government ministry websites still down and a ransom demand for $10 million in place.
The Costa Rica Finance Ministry website is still down this morning, after it emerged yesterday that the Conti ransomware group – a Russian “hacking-by-hire” collective – had breached its security and stolen a terabyte of data containing tax payer info.
Conti has encrypted this data and has threatened to release it on April 23rd unless they receive a US$10 million ransom payment.
The breach took place on Sunday, but because it was a holiday, it wasn’t noticed until yesterday. This raises questions in itself about how seriously government agencies take their cybersecurity.
— BetterCyber (@_bettercyber_) April 19, 2022
Later on yesterday evening, MICITT (the Costa Rican Ministry of Science & Technology) also confirmed a breach in their website. As it stands this morning, their site is also still down.
Furthermore, it’s looking like the Twitter page for the CCSS, Costa Rica’s social security agency) was also breached this morning. It’s unclear, though, if this has anything to do with the attacks on the Finance and Science & Technology Ministries. Either way, the CCSS has admitted a hacking of their Twitter account took place and that they’ve resolved the situation.
In a series of tweets this morning, the CCSS said it was alert to recent events and that it was in the process of reviewing its systems to identify and prevent Conti from attacking it.
#DATO La institución se mantiene alerta ante los recientes eventos en cuentas sociales y sitios web y en constante monitoreo y prevención de ataques cibernéticos.
— CCSSdeCostaRica (@CCSSdeCostaRica) April 19, 2022
So far, it seems the Finance Ministry is downplaying the attack against them, after first claiming only that the site was down.
After admitting the breach and the data theft, the Ministry said it didn’t affect its operations. The government has also said it has no intention of paying any ransom to the hackers.
That said, this breach could make it possible for Conti to sell the stolen data to third parties. To that end, the Finance Ministry is telling people to not change their access codes, and to report any calls or messages they receive requesting this to the authorities.
HACIENDA NO ESTÁ SOLICITANDO LA REGENERACIÓN DE CLAVES
Si usted recibe llamadas o mensajes de dudosa procedencia, comuníquelo al OIJ, por medio de los números 800-8000-645 y 8800-0645. pic.twitter.com/jUWq93lSZu
— Ministerio Hacienda de Costa Rica (@HaciendaCR) April 19, 2022
The Conti group originates from Russia and, from most accounts, operates as a business with a corporate hierarchy and departments.
It hires salaried hackers to breach websites, whether government or commercial, and steal info or block them. If a government or corporation pays a ransom to retrieve their stolen data, that gets shared around as a bonus.
According to the FBI, Conti is one of the most prolific ransomware groups operating. Cybersecurity experts estimate the group has made some $2.7 billion over the past two years since it was first identified.
Since the Russian invasion of Ukraine began last month, Conti has suffered its own data breach. Some experts suggest this breach comes because of Conti’s pro-Russia/pro-Putin sentiments. The theory is that Ukrainian or pro-Ukrainian hackers working for Conti took exception to the group’s pro-Russian stance.
— Cyberint (@cyber_int) April 14, 2022
What this means in relation to the Costa Rica breaches is unclear. Purely speculating, perhaps it means that Conti now needs money more than ever.
Conti operates by either targeting governments/corporations on their own, or by being hired by an outside party to target said governments/corporations. It’s unknown if Conti is hitting Costa Rican government institutions on its own initiative or it’s being paid to do so by outside actors.
In the meantime, if you’re in Costa Rica – or anywhere for that matter – look after your own cybersecurity. Follow the Finance Ministry’s advice if anyone contacts you asking about access codes. And don’t click on links you don’t recognize.