They asked for $10 million in April in exchange for stopping the attack and returning the stolen information. The Costa Rican government refused to pay.
Now they demand $20 million from him and the threats continue.
“We are at war and that is not an exaggeration,” the country’s new president said this week, Rodrigo Chavezwho ordered a state of national emergency after a month of cyberattacks against the systems of the country’s institutions.
The perpetrators are a group of Russian-based cybercriminals known as with youthe name of the computer platform with which they carry out their attacks.
Their business is to penetrate the computer systems of corporations, institutions and governments to extort them.
They recently attacked Peru’s intelligence service, but where they have really sown chaos is in Costa Rica.
We explain in five keys what is happening with the massive cyber attack on the Central American country.
1. What happened
On April 18, Conti directed his massive cyberattack at organizations and institutions in Costa Rica in the form of ransomwaremerger of English terms ransom (rescue) and software.
An ransomware it is malicious software hijacks information from a system (such as data, files or keys) to ask for a ransom.
The group attacked 30 Costa Rican institutions such as the Ministry of Labor, Science, Technology and Telecommunications, Social Security or the National Meteorological Institute.
But the most affected was the Ministry of Financewhere cybercriminals entered the servers and usurped all kinds of information.
“There may have been an inmate they knew, or they were scanning ports, or someone in the Treasury entered a link that they shouldn’t have,” Costa Rican lawyer José Adalid Medrano, a specialist in Computer Law and Cybercrime, tells BBC Mundo.
Conti’s hackers they hijacked the tax declaration and foreign trade systems of the country belonging to the Ministry of Finance.
Thus, customs stopped processing import and export taxes, collection systems were paralyzed and salary payments were suspended of public sector employees.
A month after the biggest attack, part of the services have still not been able to be restored.
“To date the systems have not been restored. However, the Ministry of Finance maintains its services, including the collection of taxes to maintain revenue; the attention of exports, imports and transit of goods so as not to affect international trade, ”Nogui Acosta Jaén, Minister of Finance of Costa Rica, told BBC Mundo in a statement.
Experts calculate the losses in tens of millions of dollars.
2. Who is behind
Although Conti is a Russian platform, the origin of the attack could be much closer.
“There are very clear indications that people inside the country are collaborating with the Conti cybercriminal group,” said President Chaves.
Computer scientist and businessman Esteban Jiménez, who was one of the architects of Costa Rica’s cybersecurity strategy, endorses this hypothesis.
“The mother group is in Russia, it has the main tool and financing, but there are cells affiliated with Conti in other countries,” he tells BBC Mundo.
He explains that these cells usually become part of Conti through deep web contacts or simply rentn your attack platform: “They pay with cryptocurrencies between $5,000 and $20,000 dollars to use it for a month.”
And he mentions some indications that point to the origin of the attack in the region or even in Costa Rica itself, such as “the type of writing” of the extortionists.
Cybercriminals also “cite very specific particularities of the country, they are people who have knowledge of the local environment”, they know “the internal processes of the government and the state of the technology and systems used by the country” and they claim to have contacts in the public administration.
“This is not normal in an international attack, which is usually more generic,” says Jiménez.
3. Why Costa Rica?
It is striking that this Central American state of just over five million inhabitants has been the target of one of the largest cyberattacks directed at a country in recent years.
For Esteban Jiménez, the key lies in the technological development that Costa Rica has experienced, superior to that of its Central American neighbors but without the maturity of European countries or the United States.
For the latter, says the expert, threats like Conti’s “are daily bread” and therefore they are prepared to respond.
We asked him what would happen if the group directed, for example, an attack on Germany like the one suffered by Costa Rica.
“They probably would have had some impact, but the recovery mechanisms would have been much more mature and the response process more coordinated.”
Costa Rica, he explains, “has been outlined in recent years to develop as one of the great economies of the region; digitizing a country expands the area of entry and this is a motivation for Conti, who sees it as vulnerable”.
José Adalid Medrano, for his part, believes that it is the low security of Costa Rican systems which invited hackers to attack.
“Let us remember that, according to local reports, we are facing weakly protected servers and systems“, says the lawyer.
In the case of the Treasury, he considers that “it is not possible for a Ministry that provides so many services to society and has sensitive information on Costa Ricans don’t have a contingency plan“.
A report from the Comptroller in 2019 already pointed out 250 critical vulnerabilities and warned of the absence of this contingency plan that, if it exists, would have made it easier to recover the continuity of services after the attack.
4. What are the reasons
The objectives of ransomware They are usually private companies, since it is very difficult for a government -and more so in a democratic country- to agree to pay a ransom to a group of cybercriminals.
Is it really money that motivated Conti to attack Costa Rica or could there be political or other reasons?
The attack came at a significant moment: the transition of the presidency from Carlos Alvarado to Rodrigo Chaves, whose recent mention of a “war” has been interpreted by some as an allusion to possible political motivations of the attackers.
“Although there are signs of collaboration within the country, it does not mean that there is a political motivation,” says Medrano.
The lawyer believes that cybercriminals have more ambitious goals.
“A private company is a more ideal victim, but if the victim that falls is a State, it gives you propaganda, it makes it seem like it is a more planned, bigger attack, and Conti is strengthened in image as a criminal group.
“Although the attack on Costa Rica is not economically profitable, without a doubt it puts the group on the map, helps it to expand its name and pressure others so that the same thing does not happen to the Costa Rican government,” he explains. lawyer.
And he warns:Lhe Latin American nations need to pay attention because Costa Rica is being part of an experiment that they are going to try to apply in other countries and can count on the help of local people.”
Along these lines, Esteban Jiménez considers the attack “a demonstration, a display of power, a complete intimidation”, for which he anticipates the opening of “a new chapter at the Latin American level” in which these types of attacks would intensify in the region.
5. How has Costa Rica responded and who is helping it
Issued almost a month after the first attack, the declaration of the state of emergency served to expedite measures aimed at restoring normality and strengthen protection against future cyberattacks, the government reported this week.
He assured that, for this, he has technical assistance from countries such as Spain and Israeland companies like Microsoft and GBM.
Meanwhile, the US State Department has offered a $10 million reward whoever provides information that allows the identification or location of the members of Conti.
It will also pay up to $5 million in exchange for “information leading to the arrest or conviction of any person, in any country, who conspires to participate or attempt to participate in a Conti incident.”
The FBI (US Federal Bureau of Investigation) estimates that until January of this year the Russian group has extorted over 1,000 victims who have paid more than $150 million in ransoms, making Conti the group of ransomware “most damaging ever documented”.
On the other hand, the Costa Rican authorities have launched an investigation to find those responsible for the cyberattack who, as expert hackers, have taken care to clean up any incriminating traces.
“Four weeks later, many of the traces, of the system’s logs, no longer exist”, affirms Esteban Jiménez.
Therefore, he explains, “it is going to be very complicated to use digital forensic science to be able to find some type of evidence, so it will have to be a formal or classic investigation” that allows, at least, to find out if there was a Costa Rican citizen involved.
Now you can receive notifications from BBC World. Download the new version of our app and activate it so you don’t miss out on our best content.