Photo by Alexander Aguero on Unsplash

Wave of Attacks Against Costa Rica!

Conti gang relentlessly lashes their vulnerable systems

By Felipe Ruiz | April 27, 2022 | Category: Attacks

Conti —the gang we had said is supporting Russia in cyberwar and had suffered a significant breach of its internal chats— attacked some computer systems of the government of Costa Rica last week. Being a ransomware attack, Conti asked for 10M dollars. But the current president, Carlos Alvarado, said that the Costa Rican state would pay nothing! Now from different fronts, the cyberattacks continue in a worrying expansion, even reaching private firms.

Timeline of events to date

On April 17, Conti began posting on its .onion.ly News channel about the hacking of Costa Rica's Ministerio de Hacienda. Apparently, these cybercriminals downloaded 1 TB from their portal hacienda.go.cr along with internal documents to be made public on the 23rd of this month. (At the time of writing this post, that governmental website is out of service.) The next day, they requested the aforementioned amount of money, suggesting the ministry pay it to keep their taxpayers' data. To make things worse, Conti later noted that they had additionally compromised the Ministerio de Ciencia, Innovación, Tecnología y Telecomunicaciones (MICITT) website. (micitt.go.cr is also out of service at the time of this writing. This and the previous deactivation are said to have been preventive measures.) And in a section of that website, they left this message: "We say hello from conti, look for us on your network."

On April 19, the gang threatened to continue attacking Costa Rican ministries until it received its money. The same day, the Ministerio de Hacienda began to alert the citizens about the actions of unscrupulous people who were masquerading as ministry workers asking some of them to reset their passwords. It also provided telephone numbers that the citizens could use to inform authorities in case of receiving messages or calls of dubious origin. Then, without waiting for the earlier imposed deadline, Conti allegedly began to publish internal Costa Rican government documents, offering four links to .rar/.zip files. Moreover, materializing its threat, Conti stated having stolen information from the Instituto Meteorológico Nacional and the Radiográfica Costarricense's email servers. And concluded its message with an unsettling remark:

"The costa rica scenario is a beta version of a global cyber attack on an entire country."

On April 20, Conti continued with the publication of private data. It revealed a total of 15.08 GB, reaching 39.77 GB the following day. At that time, the Journalist Carlos Cordero for Costa Rica's El Financiero described the government's response to the situation as weak and erratic. Different sectors were already demanding clarity on the affected data and contingency plans. But the government was still hiding behind the investigation process. On April 21, Conti included the Fondo de Desarrollo Social y Asignaciones Familiares and the Ministerio de Trabajo y Seguridad Social to its list of victims. According to another report by Cordero, a year ago, Costa Rica's institutions suffered 819 attacks a week. Last week, after Conti's onslaught began, that number reached 1,468. Multiple attackers have targeted the websites of organizations in this country to exploit their vulnerabilities. In addition, as Cordero pointed out, they have taken advantage of the low IT security culture in Costa Rica.

The attacks, especially on the Ministerio de Hacienda, had already affected the declaration and payment of taxes, as well as Costa Rica's import and export operations. (Exporters' unions were already estimating losses of hundreds of millions "due to the bottlenecks caused by [...] outages related to the disruption of the tax and customs platforms.") The government, for its part, as Cordero communicated, presented a guideline with basic actions such as modifying passwords, updating systems, deactivating unnecessary services and ports, and monitoring computer networks. However, these are recommendations to follow from the beginning, from a preventive point of view, not primarily to put out fires. By April 21, the government showed no signs of wanting to pay Conti. From there, the criminals had to move on to offer a discount:

Nevertheless, President Alvarado —nearing the end of his term— was emphatic in his Twitter video, saying they would not pay anything. According to his criteria, this attack is not a money issue, but seeks to threaten the country's stability at a transitional juncture. He asserted that the government was rigorously and thoughtfully dealing with this incident. They even signed a directive supposedly to strengthen security measures in public sector institutions. Meanwhile, the total amount of shared data reached 43.89 GB. Although Conti spoke of compressed databases that, once unpacked, would correspond to 853 GB. They offered it to other malicious hackers (curiously their "colleagues from Costa Rica") as an ideal material for phishing and, consequently, to make a profit. Subsequently, as Cordero stated on April 22, at least in the 100 institutions that adopted security measures since the beginning of the week, almost 165,000 hacking attempts were detected. Worryingly, more than 200 institutions had yet to take cybersecurity measures at that time.

That same day, President-elect Rodrigo Chaves expressed his concern about cyberattacks and their consequences on the functioning of the institutions and the payment of salaries. The MICITT made it clear how right and necessary it is to prioritize and invest resources in cybersecurity across the country. And they insisted that they were in control of the situation, having blocked the attacks to prevent their spread in affected and unaffected institutions. However, what happened next doesn't seem to be faithful proof of that.

On April 23, when Conti congratulated "Chavez" on his victory, flattered his country and people, and invited him for a private chat, the Junta Administrativa del Servicio Eléctrico de Cartago (JASEC) was being a new victim of theirs. It seems that the servers used to manage JASEC's website, email and administrative and revenue systems were encrypted. And although JASEC had to suspend the payment of bills temporarily, it reported that electricity and Internet services for its thousands of users were operating normally. On April 24, MICITT reported the detection of 201,000 hacking attempts in the last 24 hours. Then, on April 25, as the Costa Rican government's refusal to pay was further solidified, Conti began talking about lashing out at large companies in this nation that will be forced to pay:

Image 3

Image taken from Conti's site on April 26.

"We will show you all your vulnerabilities." The security vulnerabilities are something that these threat actors continue to take advantage of. One firm affected a few days ago was Aeropost. The data of approximately 5% of their clients in the region (i.e., not only in Costa Rica) were compromised. Yesterday, April 26, two more institutions were added to the list of Conti's victims: the Sede Interuniversitaria de Alajuela and the Instituto de Desarrollo Rural. Today, to add insult to injury, Conti seems to have extended their assaults to Peru.

How many more affected organizations will emerge in the coming days? We have no idea. What is clear to us at Fluid Attacks is that prevention is key. Contact one of our consultants, and find out how our ethical hackers can stay ahead of malicious hackers, identify your security vulnerabilities before they do, and help you protect your systems.