OODA Loop

Understand tomorrow, today.

Costa Rica in a State of Emergency: Is Conti Gang Cyber Attack a “Sphere of Influence” Shot Across the Bow?

Archive, OODA Original, Security and Resiliency / by

When it comes to the current cyberwar, from the emergence of “protestware (aka sabotaging open-source code as a form of hacktivism) or a series of unique Joint CSAs (such as the recent Joint Cybersecurity Advisory, such as the recent Five Eyes Joint CSA on the Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure), we have tried to capture in the pages of OODA Loop what one OODA Network member characterized in our recent monthly meeting as “a tremendous amount of free fire activity from a variety of uncontrolled, unilateral, private actors”:

“At any moment, any one of these could pop and be the next headline crisis that you all may have to deal with – because if it’s adjacent to your sector and it hits something inside Russia, they may decide to conduct symmetric retaliation. There is also no guarantee that it will stay symmetric. There’s a very strong likelihood that they will be an interest-based targeting more than simple reciprocity – where the adversary has become attuned to what is driving Western policy concerns in a way that we have not seen before – and that includes the use of proxy actors within the ransomware continuum criminal enterprise.”

It is not the first time an OODA Loop member was remarkably prescient in their characterization of current geopolitical or strategic risk awareness.  In light of these recent events, we turn now to a very recent incident of interest-based targeting which may be a cyber “shot across the bow” in the Western Hemisphere directed at the U.S. in the larger geopolitical strategic cyberwar.


OODA Loop Sponsor

Timeline of the Attack and Response

Yesterday, on the day when a new president took the helm in Costa Rica, a state of emergency was declared in the country based on the impact of a cyber-attack by the Russia-affiliated Conti Ransomware Gang.

Following is what the journalist trade calls a “tic-toc” of the incident – with a formative analysis of mitigation efforts and impacts of the attack and the ongoing impact of the state of emergency.

The Week of Monday, April 18th: Costa Rican governmental systems are hit by a ransomware attack:

“The disruption of multiple systems was first reported a week ago by the country’s Finance Ministry. An attack on the ministry impacted several processes, including tax collection, the payment of public employees, and the importation and exportation of goods through Costa Rica’s customs agency.

Further attacks were waged against Costa Rica’s Labor Ministry, the Ministry of Science, Innovation, Technology and Telecommunications (MICITT), the National Meteorological Institute (IMN), the Radiográfica Costarricense (RACSA), and a human resources portal belonging to the country’s Social Security agency, Caja Costarricense de Seguro Social.”  (2)

Russia-based Conti ransomware gang provided the following confirmation:

“Conti claims to have gained access to about 800 servers belonging to the government and has reportedly demanded a ransom payment of $10m. The gang claims to have stolen 1TB of data in the attack, including 900GB of databases from a tax administration portal and 100GB of internal documents containing personal information which belong to the Ministry of Finance.” (2)

Costa Rican security organizations provided an official attribution later in the week.

Translation:  “At this time, a perimeter security review is being carried out on the Conti Ransomware, to verify and prevent possible attacks at the CCSS level.”

Outgoing Costa Rican President Carlos Quesada confirmed the attack in a Twitter-based address to the Latin American nation on Thursday, April 21st.   From the address:

“It is not just an attack on the institutions affected, the government or importers and exporters. It is a criminal cyberattack on the state and the entire country. It cannot be separated from the complex global geopolitical situation in a digitalized world.”

“There are several institutions that have been attacked, the most notable being the Ministry of Finance. Pension payments have already been deposited and social assistance, such as the Let’s Advance program, will start tomorrow as is scheduled. The same will be done next week with the public forms as well work is being done to standardize import and export processes.” (1)

Early analysis assumed that Costa Rica was a target because it is in a transition of power since the election of a new President on April 4th: President Quesada validated this early sentiment:  “This attack is not only about money.  They [the attackers] are trying to threaten the stability of the country in a transition situation.”

April 26th:  Costa Rica Refuses to Pay Cyber Ransom.  While Quesada mentioned this official government stance in his address to the nation – “The Costa Rican state will not pay anything to these cybercriminals” – government agencies have held firm in not paying what is estimated to be a $10 million ransom:

“Allan Liska, an intelligence analyst with security firm Recorded Future, said that Conti was pursuing a double extortion: encrypting government files to freeze agencies’ ability to function and posting stolen files to the group’s extortion sites on the dark web if a ransom wasn’t paid.  The first part can often be overcome if the systems have good backups, but the second is trickier depending on the sensitivity of the stolen data, he said.  Conti typically rents out its ransomware infrastructure to “affiliates” who pay for the service. The affiliate attacking Costa Rica could be anywhere in the world, Liska said.” (3)

In general, from news outlets as varied as time.com to the San Jose-based Tico Times to Reuters and threatpost, the impact of the ransomware face-off has been characterized as “crippling” and “chaotic.”

May 6th:  The U.S. State Department offers a $10 million bounty for information about Conti members, operators, and affiliates.  Details of the State Department action can be reviewed here.

May 9th: From our friends over at The Record:  Costa Rica’s new president declares state of emergency after Conti ransomware attack:  “The newly-inaugurated president of Costa Rica – Rodrigo Chaves – declared a state of emergency due to a devastating ransomware attack launched by the Conti group.   Following his swearing-in ceremony on Sunday, Chaves held his first government council, where he announced a national emergency and attributed it to the attack’s effects on the Ministry of Finance, which has been hit hardest by the attack.”  (4)

Mitigation Efforts and Ongoing Impacts

Based on a formative analysis:

  • Organizations officially impacted by the ransomware attack include:
    • The Finance Ministry
    • The Ministry of Science, Innovation, Technology, and Telecommunications
    • The Labor and Social Security Ministry
    • The Social Development and Family Allowances Fund
    • The National Meteorological Institute
    • The Costa Rican Social Security Fund
    • The Interuniversity Headquarters of Alajuela (5)
  • The initial attack forced the Finance Ministry to shut down for several hours the system responsible for the payment of a good part of the country’s public employees, which also handles government pension payments. It also has had to grant extensions for tax payments. (time.com)
  • Some platforms, including those of tax and customs, remained suspended for a fourth day, causing a bottleneck in imports and exports. The country’s exporters union reported losses of $200 million on Wednesday. (Reuters)  Christian Rucavado, executive director of Costa Rica’s Exporters Chamber, said the attack on the customs agency had collapsed the country’s import and export logistics. He described a race against the clock for perishable items waiting in cold storage and said they still didn’t have an estimate for the economic losses. Trade was still moving, but much more slowly. “Some borders have delays because they’re doing the process manually,” Rucavado said. “We have asked the government for various actions like expanding hours so they can attend to exports and imports.” He said normally Costa Rica exports a daily average of $38 million in products.  (time.come)
  • Conti ransomware cripples systems of electricity manager in Costa Rican town:  On April 25, the attack expanded, “taking down the administrative systems of the government agency managing the electricity in Cartago.   Junta Administrativa del Servicio Eléctrico de Cartago (JASEC), which runs the electricity in the city of about 160,000 people, has released several notices on Facebook explaining that all of its administrative systems were encrypted this weekend. (The Record)
  • Officials are still working to assess the damage, prevent new attacks and restore services with the help of experts from private companies, international organizations and countries including the United States, Spain and Israel. (Reuters)
  • Costa Rica receives massive number of cyber-attacks in one 24-hour period:  “The number of cyber-attacks hitting Costa Rica is at an unprecedented level. According to the director of Digital Governance, Jorge Mora, the Ministry of Science, Innovation, Technology and Telecommunications (MICITT) indicated that more than 4 million attacks have been attempted on Costa Rica’s public intuitions in one recent 24-hour period.  The more than 4 million recent cyber-attack attempts are divided into the following categories:
    • 2.7 Million of Malware
    • 800,000 Phishing
    • 84,000 Crypto Mining
    • 1.2 million of Command and Control Activities (Conti style)
  • The Conti Ransomware gang…has already leaked 50% of the data it has stolen, including over 850GB from the Finance Ministry as the Costa Rican government insisted that it will not pay the demanded ransom that is reported to be 10 million dollars. (Tico Times)

Individual and Civic Responsibility to Cognitive Infrastructure and Psychological Defense

As our readership knows, we are always specifically concerned with the cognitive infrastructure failures on the ground with a general population, both a) how this is translating into misinformation and b) how prepared the population is to react at an individual and community-level with tools to combat these failures.  So far, the impact on the general population can be characterized as the broad impacts a state of emergency and failed countrywide computational power and internet access would have on any population which is severe and, as discussed, chaotic and crippling.

What Next?

“Conti acts on a ransomware-as-a-service (RaaS) model, with a vast network of affiliates and access brokers at its disposal to do its dirty work. The group also is known for targeting organizations for which attacks could have life-threatening consequences, such as hospitals, emergency number dispatch carriers, emergency medical services and law-enforcement agencies.

The attack on Costa Rica could be a sign of more Conti activity to come, as the group posted a message on their news site to the Costa Rican government that the attack is merely a “demo version.” The group also said the attack was solely motivated by financial gain as well as expressed general political disgust, another signal of more government-directed attacks.” (6)

Stay Informed

It should go without saying that tracking threats are critical to inform your actions. This includes reading our OODA Daily Pulse, which will give you insights into the nature of the threat and risks to business operations.

Related Reading:

Black Swans and Gray Rhinos

Now more than ever, organizations need to apply rigorous thought to business risks and opportunities. In doing so it is useful to understand the concepts embodied in the terms Black Swan and Gray Rhino. See: Potential Future Opportunities, Risks and Mitigation Strategies in the Age of Continuous Crisis

Cybersecurity Sensemaking: Strategic intelligence to inform your decisionmaking

The OODA leadership and analysts have decades of experience in understanding and mitigating cybersecurity threats and apply this real world practitioner knowledge in our research and reporting. This page on the site is a repository of the best of our actionable research as well as a news stream of our daily reporting on cybersecurity threats and mitigation measures. See: Cybersecurity Sensemaking

Corporate Sensemaking: Establishing an Intelligent Enterprise

OODA’s leadership and analysts have decades of direct experience helping organizations improve their ability to make sense of their current environment and assess the best courses of action for success going forward. This includes helping establish competitive intelligence and corporate intelligence capabilities. Our special series on the Intelligent Enterprise highlights research and reports that can accelerate any organization along their journey to optimized intelligence. See: Corporate Sensemaking

The OODAcast Video and Podcast Series

In 2020, we launched the OODAcast video and podcast series designed to provide you with insightful analysis and intelligence to inform your decision making process. We do this through a series of expert interviews and topical videos highlighting global technologies such as cybersecurity, AI, quantum computing along with discussions on global risk and opportunity issues. See: The OODAcast

 

 

About Daniel Pereira

Daniel Pereira is research director at OODA. He is a foresight strategist, creative technologist, and an information communication technology (ICT) and digital media researcher with 20+ years of experience directing public/private partnerships and strategic innovation initiatives.