By ALAN SUDERMAN and BEN FOX – Associated Press
WASHINGTON (AP) – Teachers can’t get paychecks. Tax and customs systems paralyzed. Health authorities cannot access medical records or track the spread of COVID-19. A country’s president declares war on foreign hackers, saying they want to overthrow the government.
For the past two months, Costa Rica has been plagued by unprecedented ransomware attacks, disrupting everyday life in the Central American nation. It’s a situation that raises questions about the United States’ role in protecting friendly nations from cyberattacks at a time when Russian-based criminal gangs are attacking less developed countries in ways that could have major global ramifications.
“Today it is Costa Rica. Tomorrow it could be the Panama Canal,” said Belisario Contreras, former manager of the cybersecurity program at the Organization of American States, referring to a major Central American shipping route that carries a large amount of US import and export traffic.
Last year, cybercriminals launched ransomware attacks in the US, forcing the closure of an oil pipeline supplying the East Coast, shutting down production at the world’s largest meat processing company, and compromising a major software company with thousands of customers around the world.
People also read…
The Biden administration responded with a slew of government actions, including diplomatic, law enforcement, and intelligence efforts, to pressure ransomware operators.
Since then, ransomware gangs have shied away from “big game” targets in the US to pursue victims who are unlikely to elicit a strong US response
“They’re still productive, they’re making tremendous money, but they’re just not in the news every day,” Eleanor Fairford, deputy director of Britain’s National Cyber Security Center, told a recent US conference on ransomware.
It’s difficult to follow trends of ransomware attacks where criminals encrypt victims’ data and demand payment to bring them back to normal. The NCC Group, a UK cybersecurity company that tracks ransomware attacks, said the number of ransomware incidents per month has been higher so far this year than in 2021. The company noted that ransomware group CL0P is aggressively targeting schools and healthcare is targeting organizations that have resumed work after being shut down for several months.
But Rob Joyce, the director of cybersecurity at the National Security Agency, has said publicly that the number of ransomware attacks in Ukraine has declined since Russia invaded, thanks to rising concerns about cyberattacks and new sanctions making it harder for Russians . based criminals to move money.
The ransomware gang known as Conti launched the first attack against the Costa Rican government in April, demanding a $20 million payout, prompting newly installed President Chaves Robles to declare a state of emergency as tax and customs officials, Utilities and other services affected were taken offline. “We are at war and that is no exaggeration,” he said.
Later, a second attack, attributed to a group called the Hive, disabled public health and other systems. Information about individual recipes is offline and some workers are going weeks without their paychecks. It has caused significant difficulties for people like 33-year-old teacher Alvaro Fallas.
“I live with my parents and my brother and they depend on me,” he said.
Conti also attacked the country’s secret service in Peru. The gang’s dark web extortion site is releasing allegedly stolen documents containing the agency’s information, as a “secret” of the document market detailing coca eradication efforts.
Experts believe developing countries like Costa Rica and Peru will remain particularly mature targets. These countries have invested in digitizing their economies and systems, but do not have the sophisticated defenses of wealthier nations.
Costa Rica has long been a stable force in a region often known for upheaval. It has a long-established democratic tradition and well-run government services.
Paul Rosenzweig, a former senior DHS official and cyber consultant now legally residing in Costa Rica, said the country presents a test case of exactly what the US government owes its fellow and allied governments, victims of disruptive ransomware attacks will. While an attack on a foreign country may not have a direct impact on U.S. interests, the federal government has a strong interest in curbing the way ransomware criminals can disrupt the global digital economy, he said.
“Costa Rica is a really good example because it’s the first,” Rosenzweig said. “Nobody has seen a government attacked before.”
So far, the Biden government has made little public statement on the situation in Costa Rica. The US has provided technical assistance through its Cybersecurity and Infrastructure Security Agency through an information sharing program with nations around the world. And the State Department has offered a reward for arresting Conti members.
Eric Goldstein, executive assistant director for cybersecurity at CISA, said Costa Rica has a computer emergency response team that had an established relationship with colleagues in the US prior to the incidents. But his agency is expanding its international presence by establishing its first overseas attaché position in the UK. She is planning more in places that have not yet been specified.
“Of course, when we think about our role, CISA and the US government, it’s about protecting American organizations. But we know intuitively that the same threat actors use the same vulnerabilities to target victims across the globe,” he said.
Conti is one of the most prolific ransomware gangs currently active, having hit over 1,000 targets and received more than $150 million in payouts in the past two years, according to the FBI estimates.
At the start of the invasion of Ukraine, some members of Conti vowed on the group’s dark website to “use all our possible resources to strike back an enemy’s critical infrastructure” if Russia were attacked. Shortly thereafter, confidential chat transcripts apparently belonging to the gang were leaked online, some of which appeared to show links between the gang and the Russian government.
Some cyber threat researchers say Conti may be in the midst of a rebrand, and its attack on Costa Rica could be a publicity stunt to provide a plausible story behind the group’s demise. Ransomware groups that get a lot of media attention often disappear, only for their members to reappear later with a new name.
Conti has denied this on its dark web site and continues to publish files on the victims. The gang’s most recent targets include a city parks department in Illinois, a manufacturing company in Oklahoma, and a grocer in Chile.
AP writer Javier Córdoba contributed from San Jose, Costa Rica.
Copyright 2022 The Associated Press. All rights reserved. This material may not be published, broadcast, transcribed or redistributed without permission.