Get all your news in one place.
100’s of premium titles.
One app.
Start reading
ABC News
ABC News
National
technology reporter James Purtill

Costa Rica is 'at war' with Russian hackers and other countries will be next, experts warn

Ransomware gangs are targeting not only corporations, but entire countries, aiming to disrupt the lives of as many people as possible. (Supplied: Nanzeeba Ibnat)

This week, Costa Rica came under attack — again.

On Tuesday morning in the Central American country, printers at the national health service abruptly churned out copies of a ransomware note.

Hospital record-keeping systems went down, and screens flashed up demands for a digital key needed to unlock compromised files and servers.

This was just the latest in a string of cyber attacks that had knocked out basic government services, including the online tax portal and automated system for paying teachers' salaries.

The attackers boast: "Your country was destroyed by 2 people."  (Supplied: Conti)

Costa Rica is now in an official state of emergency — the first time a country has done this in response to cyber attacks.

Security experts fear other countries will be next, as criminals spy soft targets in public infrastructure, like trains, hospitals, and schools.

And yes, that potentially includes Australia.

So who's responsible? And who's next?

'That's when the panic started'

Corporate and government ransomware victims typically avoid speaking publicly about the reputation-damaging events of an attack, but that was not the case with Costa Rica.

It was too big to hide.

The accounts of first responders provide a rare insight into how these attacks unfold — and the scramble to defend against them.

On April 18, Esteban Jimenez, founder of the Costa Rica-based cyber security company ATTI, received a call from the country's ministry of finance.

"All the systems were completely blocked," he told the ABC.

Esteban Jimenez helped develop Costa Rica's cybersecurity strategy. (Supplied: Esteban Jimenez)

The attackers appear to have infiltrated government computers with a tool called Cobalt Strike, allowing them to deploy another piece of software, named Beacon, on the target machine. 

With Beacon, they could log keystrokes, transfer files, execute commands, and generally do everything necessary to steal and encrypt data.

In a ransomware attack, data is stolen or encrypted, and the attackers demand money to restore access to the data.

The first Cobalt Strike infiltration happened at least as early as February, and could have been through any number of ways, including via email, or through a public servant visiting a compromised website.

Mr Jimenez and the other first responders counted 860 servers either locked up with ransomware, or disabled in some other way by the attack.

The next step was to restore the servers from backups that system operators keep for just these occasions.

One problem: "There were no backups whatsoever," Mr Jimenez said.

"Every single system that was externally facing, every single app that the ministry [of finance] had available for people, was blocked."

With the systems down, disorder rippled through the country.

An entire country held to ransom

The attack affected 29 public institutions, including the ministries of finance, social security, meteorology, electricity, and sciences, innovation, technology and telecommunications.

Teachers found they weren't getting paid.

"The Ministry of Public Education had more than 13,000 teachers with wrong payments because they lost the actual system that was tracking down accurate payments," Mr Jimenez said.

Customs officers had to resort to paper forms, slowing the processing of imports, which meant food and other perishables spoiled on the docks.

"It's impossible for a person to deal with 200,000 forms manually every day."

Services websites equivalent to the ATO or MyGov were offline.

Taxes couldn't be paid online.

First responders raced to get systems back online.

At one point, Mr Jimenez took the unconventional step of using the Wayback Machine, a free archive of the World Wide Web, to cobble together the source code for the ministry of finance website.

"We we were able to pull out a full backup from the main website."

But even as they repaired the damage, more trouble was brewing.

Printers at the Costa Rican government health ministry printed out these notes after Hive attacked. (Supplied: Esteban Jimenez)

This week's follow-up attack saw the public health service shut down its digital record-keeping system, which has affected about 1,200 hospitals and clinics, and potentially thousands of patients.

Teachers are still getting paid the wrong amount and tax collection and customs declarations are still relying on manual forms.

Mr Jimenez estimates the attacks have cost at least half a billion dollars.

"And for a country of 5 million people, that's a lot of money.

"What we saw before were attacks targeting random private companies; never an attack like this.

"This was very, very well orchestrated."

Who's responsible?

Plotting the events of the attack is the easy part. Figuring out who is ultimately behind it all is a lot harder.

On the surface, it may seem obvious. According to media reports, the Russia-linked group Conti was responsible for the April attacks, while another Russian group, Hive, did the latest ones.

Costa Rican president Rodrigo Chaves declared the country was "at war" with Conti. (Getty Images: Juan Carlos Ulate)

But it's more complicated than this.

In recent years, the business of ransomware has evolved into a sophisticated ecosystem, with different groups offering specialised services for each part of the process.

Access brokers sell the initial access to the compromised network, while ransomware-as-service groups sell the platform required to carry out the attack.

Conti is one of these latter groups. For the Costa Rica attack, they were merely selling a service, said Adam Meyers, senior vice-president of intelligence for CrowdStrike, one of the largest cybersecurity companies in the world.

That leaves two missing pieces: the identities of the access broker and Conti's client, or affiliate.

The access broker appears to be Russian-speaking, Mr Meyers said.

Ahead of the attack, a Russian-speaking broker was advertising access "to a Costa Rican government entity" on "underground forums" covertly monitored by CrowdStrike.

The Costa Rican government wasn't warned at the time, Mr Meyers said.

"It would be difficult for us to notify everybody."

And what do we know about the identity of Conti's client? 

"Not much," Mr Meyers said.

"They used Conti and they were effective."

So, who's Conti?

Until recently, Conti was the biggest, baddest ransomware gang around.

In 2021, it extorted $US150 million, eclipsing all other ransomware gangs.

But its motivations have not been purely financial.

"Over time, it's become increasingly ideological," said Robert Potter, an Australian cybersecurity expert.

This proximity had its problems: Conti has had more trouble collecting ransoms, as victims are being advised that paying could mean violating US economic sanctions on Russia.

Some insurers are also saying they won't pay out for Conti attacks, as the attack is deemed to be state-sponsored.

The group's relationship with the Russian government came to a point at the end of February, when Russian president Vladimir Putin ordered the army to invade Ukraine.

Conti offered its full support to the Russian government:

Conti's initial statement about the Russian invasion of Ukraine, published on its website. (Supplied: KrebsOnSecurity)

It then walked this declaration back, but the damage was done.

Days later, a Ukrainian security expert leaked many months' worth of internal chat records between Conti personnel, exposing the daily, mundane inner workings of the criminal group.

One revelation was its size: Conti typically numbered fewer than 100 members.

After the leak, Conti went quiet. Then Costa Rica was attacked.

Who's Hive?

An anonymised example of a Hive ransomware extortion demand. (Supplied: Group-IB)

The Hive ransomware group is newer than Conti and keeps a lower public profile, but the two have close ties.

Since the February data leak, some of Conti's leadership reportedly joined Hive, leading to speculation that the two are much the same thing.

By rebranding as the lesser-known Hive, Conti would solve the problem of its perceived closeness with the Russian government.

Like most other ransomware groups, both Conti and Hive are based in Russia and eastern Europe.

CrowdStrike's Adam Meyers said this week's Hive attack was "interesting timing, because Conti has effectively shut down and it's possible that the affiliate that was using Conti has moved to Hive".

Is Russia behind it all?

The big question is the Russian government's role in the attack. Here, expert opinions vary widely.

The government allows Russia-based ransomware gangs to operate and target victims outside the country, but that doesn't mean it's directing the attack against distant Costa Rica, Mr Meyers said.

"The Russian government clearly has their hands full right now.

"This is financially motivated. [The attackers] are trying to make money. These actors are coin-operated."

Conti claims this is the case. In May, it posted on its website:

Conti couldn't help taking a pot shot at "old fool" US President Biden. (Supplied: Conti)

But Esteban Jimenez has a very different take.

The Costa Rican cybersecurity expert regards the attack as an opportunity for the group to hurt a close US ally and follow through on its threat over support for Ukraine.

The Russian government may not have been involved, but the motivation was ideological, not purely financial, he said.

"I think money was not the problem for them. This was just a display of power."

Costa Rica refused to negotiate or pay the ransom, which started out at $US10 million and was later doubled.

Who's next?

Following the April attack, Conti warned it would target other countries next.

"Costa Rica is a demo version," it posted on its website.

The greater the potential disruption to the public, the better the target, CrowdStrike's Adam Meyers said.

"These organisations go after infrastructure that has to be up and running.

"Health care is a big one ... and schools and education.

"Here in the US, the school year typically starts in August or September. So we've seen a lot of ransomware targeting state and local government and and schools at around that time period."

A hand-written notice posted outside a public health clinic in Costa Rica warning of system outages due to the Hive cyber-attack. (Supplied: Twitter @briankrebs)

Whoever's targeted, the trend for the number of attacks is climbing steeply: CrowdStrike observed, on average, more than 50 targeted ransomware demands per week last year, with each demand averaging a whopping US$6.1 million.

What about Australia?

Australia is already a target of ransomware attacks, typically against corporations.

But public infrastructure has also been targeted. In November, Conti attacked state-owned Queensland utility CS Energy, which said the event did not affect electricity supply to customers.

Attackers may well target more Australian government assets, Mr Meyers said.

"I don't see any reason why they wouldn't."

But if this happens, the public will not know necessarily know about it.

Under Australia's new Ransomware Action Plan, organisations under ransomware attack will be required to report the incident to government.

But there's an exception for state and federal government agencies.

Robert Potter said developing countries like PNG, which was attacked last year, were the more likely target, as they generally had less sophisticated cyber defences.

"In popular imagination, ransomware gangs are robbing from the rich to pay the poor," he said.

"But in reality they're robbing from the poor to pay for their criminal escapades."

The Australian Cyber Security Centre (ACSC) is closely monitoring Conti "and other high-threat ransomware groups".

"Conti has successfully targeted and compromised Australian organisations from a range of sectors," ACSC head Abigail Bradshaw said.

She added that the Australian Signals Directorate identified and notified 57 potential victims of impending ransomware attacks between 2021-22, preventing these attacks from taking place.

“As well as demanding ransoms, cybercriminals in Australia and elsewhere are increasingly attacking the networks that keep people safe: hospitals, councils, utility providers and other essential services," she said.

“The attacks in Costa Rica underscore the need for international collaboration and coordination to address ransomware and other cyber threats."

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.