Costa Rica ransomware attack (2022)

From International cyber law: interactive toolkit
Jump to navigation Jump to search
Date The first wave of ransomware attacks started on 17 April 2022.[1] The second one was launched on 31 May 2022.[2]
Suspected actor The alleged perpetrator of the first wave of attacks is the ‘Conti’ Group, while the second one is believed to have been conducted by the ‘Hive’ Group.[3] Both groups are reportedly based in the Russian Federation.[4]
Victims 27 different public institutions of Costa Rica were targeted, including its Ministry of Finance, the Ministry of Science, Innovation, Technology and Telecommunications (MICITT), the National Meteorological Institute (IMN), the Costa Rican Social Security Fund and the Ministry of Labor and Social Security (MTSS).[5]
Target systems Microsoft-based servers operated by the Costa Rican government.[6]
Method The first attack was directed at the servers of the Costa Rican Ministry of Finance, disabling the Virtual Tax Administration (ATV) and the Customs Information System (TICA). Two days later, the website of the Ministry of Science, Innovation, Technology and Telecommunications was defaced. Hours later, Conti attacked an email server of the National Meteorological Institute stealing the information therein.[7]

The Hive Group carried out its attack against the Costa Rican Social Security Fund (CCSS) by forcing the institution to shut down all its critical systems, including the Single Digital Health Record (EDUS) and the Centralized Collection System (SICERE).[8]

Purpose The Conti Group, which claimed responsibility for the first group of attacks, demanded a US $20 million ransom in exchange for not releasing information stolen from the Ministry of Finance, including citizens’ tax returns and sensitive information about companies operating in Costa Rica.[9]

The Hive Group allegedly requested a payment of US $5 million in bitcoin, after which it would restore the operations of the Costa Rican Social Security Fund.[10]

Result The government refused to pay the hackers which it labelled “terrorist groups”.[11] As a result, the effects of the attack continued for several months until the end of June 2022.[12] During this time, the government was forced to temporarily shut down the computer systems used to declare taxes and for the control and management of imports and exports, causing an economic loss of about US$ 125 million in the first 48 hours following the attack.[13] Furthermore, teachers were unable to get paychecks, tax and customs systems were paralyzed and health officials were unable to access medical records.[14] On 8 May 2022, the president of Costa Rica issued an executive order proclaiming a national emergency due to the cyberattacks against the country’s public sector and stated that the country was in a “state of war”.[15]
Aftermath After the declaration of a national emergency, unions negotiated with the government to ensure that workers would be paid despite the shutdown of social security systems.[16] The role of the United States in protecting ‘friendly nations’ from cyberattacks was also debated.[17] The Costa Rican government received technical assistance from Microsoft as well as the governments of the United States, Israel and Spain in order to restore its services.[18] The US State department offered a US$10 million reward for information leading to the identification of persons in a leadership position within the Conti Group.[19] The Hive Group was effectively shut down in January 2023 following a coordinated effort by Europol and the German, Dutch and US authorities.[20]
Analysed in Scenario 14: Ransomware campaign

Scenario 20: Cyber operations against medical facilities

Collected by: Yannick Zerbe

  1. Associated Press, ‘Costa Rica, 'under assault' is a troubling test case on ransomware attacks’ (NBC News, 17 June 2022).
  2. Tweet of the Costa Rican Social Security Fund of 31 May 2022 (confirming that the CCSS had been hacked in the morning of 31 May 2022).
  3. Christine Murry & Mehul Srivastava, ‘How Conti ransomware group crippled Costa Rica — then fell apart’, (Financial Times, 9 July 2022); Viswanatha & Dustin Volz, ‘FBI Disrupts ‘Hive’ Ransomware Group’ (Wall Street Journal, 26 January 2023).
  4. Joe Tidy, ‘Seven Russians sanctioned over ransomware cyber-crime’ (BBC News, 9 February 2023); Aruna Viswanatha & Dustin Volz, ‘FBI Disrupts ‘Hive’ Ransomware Group’ (Wall Street Journal, 26 January 2023).
  5. Christine Murry & Mehul Srivastava, ‘How Conti ransomware group crippled Costa Rica — then fell apart’, (Financial Times, 9 July 2022).
  6. Pratim Milton Datta & Thomas Acton, ‘Ransomware and Costa Rica’s National Emergency: A Defense Framework and Teaching Case’  (2023) Journal of Information Technology Teaching Cases 1.
  7. Christine Murry & Mehul Srivastava, ‘How Conti ransomware group crippled Costa Rica — then fell apart’, (Financial Times, 9 July 2022).
  8. Twitter thread of the Costa Rican Ministry of Finance of 19 April 2022 (announcing that, due to the shutdown of the systems, the deadline for filing taxes would be postponed).
  9. Associated Press, ‘Costa Rica, 'under assault' is a troubling test case on ransomware attacks’ (NBC News, 17 June 2022).
  10. Pratim Milton Datta & Thomas Acton, ‘Ransomware and Costa Rica’s National Emergency: A Defense Framework and Teaching Case’  (2023) Journal of Information Technology Teaching Cases 1.
  11. Joe Tidy, ‘President Rodrigo Chaves says Costa Rica is at war with Conti hackers’ (BBC, 18 May 2022).
  12. Associated Press, ‘Costa Rica, 'under assault' is a troubling test case on ransomware attacks’ (NBC News, 17 June 2022).
  13. Chamber of Foreign Trade of Costa Rica, ‘$125 millones en pérdidas estima Cámara de Comercio Exterior tras ciberataque que afectó aduanas’ (Facebook post, 19 April 2022).
  14. Associated Press, ‘Costa Rica, 'under assault' is a troubling test case on ransomware attacks’ (NBC, 17 June 2022).
  15. Kevin Collier, ‘Costa Rica declares state of emergency over ransomware attack’ (NBC, 11 May 2022).
  16. Office of the President of Costa Rica, ‘Conferencia de prensa del sector educativo - 21 de mayo 2022’ (Facebook, 21 May 2022) (confirming that the government has signed an agreement to advance the payment of the 3'160 teachers who were unable to receive paychecks due to the shutdown of the systems).
  17. Alan Suderman & Ben Fox, ‘Costa Rica chaos a warning that ransomware threat remains’ (AP News, 17 June 2022).
  18. Pratim Milton Datta & Thomas Acton, ‘Ransomware and Costa Rica’s National Emergency: A Defense Framework and Teaching Case’  (2023) Journal of Information Technology Teaching Cases 1.
  19. US State Department, ‘Reward Offers for Information to Bring Conti Ransomware Variant Co-Conspirators to Justice’ (6 May 2022).
  20. Europol, ‘Cybercriminals stung as HIVE infrastructure shut down’ (26 January 2023).
Retrieved from "https://cyberlaw.ccdcoe.org/wiki/Costa_Rica_ransomware_attack_(2022)?oldid=3789"