Behind the Hack

Behind the Hack: Costa Rica

May 9, 2022

Target: The Costa Rican government
Date of attack: April 18, 2022

Quick take: In mid-April 2022, the Costa Rican government was hit with a major cyberattack that compromised the Finance and Labor Ministries, other state entities, and critical infrastructure systems. The attack initially caused disruptions to tax collection, pension payments, and trade operations, and it rapidly spread to other agencies. One of the most significant consequences was a drastic reduction in import and export volume, which likely caused millions of dollars per day in losses. The Russian cybercriminal syndicate Conti claimed responsibility for the attack, and the hackers demanded a ransom of $10 million.
Why it matters: The cyberattack on Costa Rica is significant for many reasons. First, it was a large-scale assault that crippled services ranging from commerce to critical infrastructure – a reminder that cybercriminals’ capabilities are always increasing. Second, the attack may have been retaliation for Costa Rica’s condemnation of Russia’s invasion of Ukraine: Conti has offered to support Moscow’s war effort, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about attacks from the organization in February.
Third, Conti launched a two-tier cyberattack – while the government’s systems were down, the organization was publishing sensitive information it had stolen (such as taxpayer data) on the dark web in an effort to coerce the Costa Rican government into paying the ransom. This is why the effects of cyberattacks can often still be felt long after the initial disruptions are under control. IBM reports that it takes an average of 287 days to identify and contain a data breach, but stolen information can remain on the dark web for good.
We’ve got a hack for that: Allan Liska is an intelligence analyst with Recorded Future, and he explains that the most likely explanation for the decision to target the Costa Rican government is the fact that its systems “had a number of vulnerabilities and one of the ransomware actors discovered these vulnerabilities and was able to exploit it.”
A major theme of NINJIO’s content is the concept of proactive cybersecurity. Companies can’t afford to be reactive when it comes to cyberthreats, which are constantly evolving as cybercriminals assess organizations’ defenses, identify new attack vectors, and develop increasingly sophisticated strategies. Considering the fact that the vast majority of these strategies continue to rely on social engineering, NINJIO’s cyber-awareness training platform is only becoming more essential. An AP report about the attack on Costa Rica notes that “Conti typically rents out its ransomware infrastructure to ‘affiliates’ who pay for the service.” NINJIO has a blog post coming out about the growing cybercriminal economy on the dark web – as well as the U.S. government’s effort to put this black market out of business (the most recent success in this effort was the seizure of Hydra, the world’s largest forum for cybercriminals). Proactive cybersecurity is even more crucial as the number of cybercriminals surges and their capacities continue to increase.