This week, Costa Rica came under attack — again.
On Tuesday morning in the Central American country, printers at the national health service abruptly churned out copies of a ransomware note.
Hospital record-keeping systems went down, and screens flashed up demands for a digital key needed to unlock compromised files and servers.
This was just the latest in a string of cyber attacks that had knocked out basic government services, including the online tax portal and automated system for paying teachers’ salaries.
The attackers boast: “Your country was destroyed by 2 people.” (Supplied: Conti)
Costa Rica is now in an official state of emergency — the first time a country has done this in response to cyber attacks.
Security experts fear other countries will be next, as criminals spy soft targets in public infrastructure, like trains, hospitals, and schools.
And yes, that potentially includes Australia.
So who’s responsible? And who’s next?
‘That’s when the panic started’
Corporate and government ransomware victims typically avoid speaking publicly about the reputation-damaging events of an attack, but that was not the case with Costa Rica.
It was too big to hide.
The accounts of first responders provide a rare insight into how these attacks unfold — and the scramble to defend against them.
On April 18, Esteban Jimenez, founder of the Costa Rica-based cyber security company ATTI, received a call from the country’s ministry of finance.
“All the systems were completely blocked,” he told the ABC.
“That’s when the panic started. And that’s when they called us for assistance.”
Esteban Jimenez helped develop Costa Rica’s cybersecurity strategy.(Supplied: Esteban Jimenez)
The attackers appear to have infiltrated government computers with a tool called Cobalt Strike, allowing them to deploy another piece of software, named Beacon, on the target machine.
With Beacon, they could log keystrokes, transfer files, execute commands, and generally do everything necessary to steal and encrypt data.
In a ransomware attack, data is stolen or encrypted, and the attackers demand money to restore access to the data.
The first Cobalt Strike infiltration happened at least as early as February, and could have been through any number of ways, including via email, or through a public servant visiting a compromised website.
Mr Jimenez and the other first responders counted 860 servers either locked up with ransomware, or disabled in some other way by the attack.
“We took the decision to just shut everything down.”
The next step was to restore the servers from backups that system operators keep for just these occasions.
One problem: “There were no backups whatsoever,” Mr Jimenez said.
“Every single system that was externally facing, every single app that the ministry [of finance] had available for people, was blocked.”
With the systems down, disorder rippled through the country.
An entire country held to ransom
The attack affected 29 public institutions, including the ministries of finance, social security, meteorology, electricity, and sciences, innovation, technology and telecommunications.
Teachers found they weren’t getting paid.
“The Ministry of Public Education had more than 13,000 teachers with wrong payments because they lost the actual system that was tracking down accurate payments,” Mr Jimenez said.
Customs officers had to resort to paper forms, slowing the processing of imports, which meant food and other perishables spoiled on the docks.
“It’s impossible for a person to deal with 200,000 forms manually every day.”
Services websites equivalent to the ATO or MyGov were offline.
Taxes couldn’t be paid online.
“People were required to go to the bank with with a manual form created by their accountants, like it was done 20 or 30 years ago.”
First responders raced to get systems back online.
At one point, Mr Jimenez took the unconventional step of using the Wayback Machine, a free archive of the World Wide Web, to cobble together the source code for the ministry of finance website.
“We we were able to pull out a full backup from the main website.”
But even as they repaired the damage, more trouble was brewing.
Printers at the Costa Rican government health ministry printed out these notes after Hive attacked.(Supplied: Esteban Jimenez)
This week’s follow-up attack saw the public health service shut down its digital record-keeping system, which has affected about 1,200 hospitals and clinics, and potentially thousands of patients.
Teachers are still getting paid the wrong amount and tax collection and customs declarations are still relying on manual forms.
Mr Jimenez estimates the attacks have cost at least half a billion dollars.
“And for a country of 5 million people, that’s a lot of money.
“What we saw before were attacks targeting random private companies; never an attack like this.
“This was very, very well orchestrated.”
Who’s responsible?
Plotting the events of the attack is the easy part. Figuring out who is ultimately behind it all is a lot harder.
On the surface, it may seem obvious. According to media reports, the Russia-linked group Conti was responsible for the April attacks, while another Russian group, Hive, did the latest ones.
Costa Rican president Rodrigo Chaves declared the country was “at war” with Conti.(Getty Images: Juan Carlos Ulate)
But it’s more complicated than this.
In recent years, the business of ransomware has evolved into a sophisticated ecosystem, with different groups offering specialised services for each part of the process.
Access brokers sell the initial access to the compromised network, while ransomware-as-service groups sell the platform required to carry out the attack.
Conti is one of these latter groups. For the Costa Rica attack, they were merely selling a service, said Adam Meyers, senior vice-president of intelligence for CrowdStrike, one of the largest cybersecurity companies in the world.
“They’ll take 20 per cent or 30 per cent off of the ransom for themselves in order for you to use their platform for both ransomware and data extortion.”
That leaves two missing pieces: the identities of the access broker and Conti’s client, or affiliate.
The access broker appears to be Russian-speaking, Mr Meyers said.
Ahead of the attack, a Russian-speaking broker was advertising access “to a Costa Rican government entity” on “underground forums” covertly monitored by CrowdStrike.
The Costa Rican government wasn’t warned at the time, Mr Meyers said.
“It would be difficult for us to notify everybody.”
And what do we know about the identity of Conti’s client?
“Not much,” Mr Meyers said.
“They used Conti and they were effective.”
So, who’s Conti?
Until recently, Conti was the biggest, baddest ransomware gang around.
In 2021, it extorted $US150 million, eclipsing all other ransomware gangs.
But its motivations have not been purely financial.
“Over time, it’s become increasingly ideological,” said Robert Potter, an Australian cybersecurity expert.
“It’s been increasingly getting more comfortable being part of the Russia government.”
This proximity had its problems: Conti has had more trouble collecting ransoms, as victims are being advised that paying could mean violating US economic sanctions on Russia.
Some insurers are also saying they won’t pay out for Conti attacks, as the attack is deemed to be state-sponsored.
The group’s relationship with the Russian government came to a point at the end of February, when Russian president Vladimir Putin ordered the army to invade Ukraine.
Conti offered its full support to the Russian government:
Conti’s initial statement about the Russian invasion of Ukraine, published on its website.(Supplied: KrebsOnSecurity)
It then walked this declaration back, but the damage was done.
Days later, a Ukrainian security expert leaked many months’ worth of internal chat records between Conti personnel, exposing the daily, mundane inner workings of the criminal group.
One revelation was its size: Conti typically numbered fewer than 100 members.
After the leak, Conti went quiet. Then Costa Rica was attacked.
Who’s Hive?
An anonymised example of a Hive ransomware extortion demand.(Supplied: Group-IB)
The Hive ransomware group is newer than Conti and keeps a lower public profile, but the two have close ties.
Since the February data leak, some of Conti’s leadership reportedly joined Hive, leading to speculation that the two are much the same thing.
By rebranding as the lesser-known Hive, Conti would solve the problem of its perceived closeness with the Russian government.
Like most other ransomware groups, both Conti and Hive are based in Russia and eastern Europe.
CrowdStrike’s Adam Meyers said this week’s Hive attack was “interesting timing, because Conti has effectively shut down and it’s possible that the affiliate that was using Conti has moved to Hive”.
Is Russia behind it all?
The big question is the Russian government’s role in the attack. Here, expert opinions vary widely.
The government allows Russia-based ransomware gangs to operate and target victims outside the country, but that doesn’t mean it’s directing the attack against distant Costa Rica, Mr Meyers said.
“The Russian government clearly has their hands full right now.
“This is financially motivated. [The attackers] are trying to make money. These actors are coin-operated.”
Conti claims this is the case. In May, it posted on its website:
“No government of other countries has finalised this attack, everything was carried out by me with a successful affiliate. The purpose of this attack was to earn money.”
Conti couldn’t help taking a pot shot at “old fool” US President Biden.(Supplied: Conti)
But Esteban Jimenez has a very different take.
The Costa Rican cybersecurity expert regards the attack as an opportunity for the group to hurt a close US ally and follow through on its threat over support for Ukraine.
The Russian government may not have been involved, but the motivation was ideological, not purely…