Costa Rica has declared a national emergency due to an attack on government systems perpetrated by Russian-speaking cyber criminals.
President Rodrigo Chaves – an economist who was only just sworn into office on Sunday – signed an executive decree describing the attack of 18 April as an act of “cyber terrorism”.
The decree means a state of emergency is in effect across the country’s entire public sector, in what is believed to be a world first for a State response to a cyber attack.
The Conti ransomware gang has claimed to be behind the attack. It is seeking to extort millions from the government of Costa Rica by publishing stolen data online as well as rendering IT systems unusable across several ministries.
A post on the president’s Facebook page has confirmed the decree although a spokesperson for Costa Rica’s ministry for foreign affairs was unable to provide a comment to Sky News.
The US State Department cited the attack last Friday when it announced up to $15m in rewards for information about the key leadership of the gang.
It stated: “In offering this reward, the United States demonstrates its commitment to protecting potential ransomware victims around the world from exploitation by cyber criminals.
“We look to partner with nations willing to bring justice for those victims affected by ransomware,” the department added – potentially looking to distinguish itself from China, which has been accused of permitting cyber attacks, and with whom Costa Rica has developed close ties.
The State Department added the ransomware group “has been responsible for hundreds of ransomware incidents over the past two years” and that the FBI estimates it has made more than $150m from victim payouts.
But leaked internal chat logs suggest it could have received far more.
Image: Conti declared its ‘full support’ for the Russian government over the invasion of Ukraine. Pic: Reuters
Ukrainian cyber criminal turns against Russian colleagues
Shortly after Russia‘s invasion of Ukraine, the gang – which was behind the “catastrophic” attack on Ireland’s national health service – announced its “full support” for the Russian government.
The gang warned: “If anybody will decide to organise a cyber attack or any war activities against Russia, we are going to use […] all possible resources to strike back at the critical infrastructures of an enemy.”
While a later statement attempted to retract the criminal group’s explicit support for the Kremlin, clarifying it was “a response to Western warmongering”, the damage was done.
It significantly led to an apparently disgruntled Conti insider taking umbrage with their former colleagues’ support for the Russian invasion.
This insider leaked the group’s internal chat logs – providing a treasure trove to investigators – signing off their message with: “Glory to Ukraine!”
Among the cache of thousands of internal messages detailing the ransomware group’s activities were some suggesting the gang targeted Bellingcat researchers investigating the poisoning of Alexey Navalny, indicating to those researchers the criminals’ affiliation with the Russian security services.
The leaks also contained the gang’s cryptocurrency addresses which – by today’s cumulative valuation, certainly much higher than the value of these transactions at the time they occurred – show the gang has brought in more than $2.7bn in Bitcoin since 2017.
State of emergency needed?
Alexandra Paulus, a fellow for international cybersecurity policy at Berlin-based think tank Stiftung Neue Verantwortung (New Responsibility Foundation), told Sky News the attack compared to another on the German municipality of Anhalt-Bitterfeld.
It wasn’t the first municipality to be hit my ransomware but it was the most notable, Ms Paulus said, explaining that “municipal services were affected for weeks on end” forcing the authority to declare a state of disaster and call in the Bundeswehr, the German armed forces, to offer support.
Costa Rica’s state of national emergency is intended to “allow our society to respond to these attacks as criminal acts,” said President Chaves, although the country disbanded its military in 1948.
“When Anhalt-Bitterfeld declared a state of disaster, four days after becoming aware of the ransomware incident, they explained that this was due to the large scale of the incident and lack of clarity when municipal services would be resumed,” Ms Paulus said.
“Declaring a state of disaster was mostly a political decision that facilitated external communication to the public and other governmental entities that the municipality asked for support.
“It also facilitated hiring private IT service providers. In turn, when the municipality asked the Bundeswehr for support, it caused much debate in Germany, where many are sceptic of deploying the armed forces domestically. The soldiers supported the municipality in setting up new computers,” Ms Paulus added.
Costa Rica’s finance ministry was the first to report problems as a result of the attack and much of the country’s tax and social security systems are still not functioning.
