“We are at war and it is not an exaggeration.” This was one of the first strong phrases of the president, Rodrigo Chaves as president. The same day he took office, on May 8th, 2022, he announced a national emergency decree and on May 16th, after a week in power, he launched a series of measures for what he described as an “international terrorist attack”. It was not for less; the transition process between the government of the outgoing president, Carlos Alvarado, and Chaves was marked by the strongest cyberattack experienced in Costa Rica against State entities, an event with dozens of entities affected and the direct impact on the population.
On Monday, April 18th, the country woke up with the news that some basic systems of the Ministry of Finance were down, including the platform for declaring and paying ATV taxes and customs systems. The government, at that time, reported that they were investigating what happened until they confirmed the attack attributed to an international group called Conti. The cyber attackers asked for a payment of US$10 million to stop the hack, which was not agreed.
On April 21st, Carlos Alvarado as president issued a video to the press in which he ruled out agreeing to that request for payment. “The first action that all Costa Ricans must take is to unite once again to face this threat. I reiterate that the Costa Rican State will not pay anything to these cybercriminals”, said the president. “I think this attack is not a matter of money, but seeks to threaten the stability of the country in a transition situation. They will not achieve this”, he sentenced.
The attack on the tax platforms alone left millions in losses for the country. The import and export sector reported an impact of US$30 million per day by slowing down or delaying the entry and exit of merchandise. It was not until almost 2 months later, on June 13th, that the ATV platform was able to recover and return to operation with an extraordinary schedule for the payment of taxes.
Along with the platforms of the tax administration, the country received attacks on nearly 30 State institutions with lesser impact. In a recent report, the Comptroller General of the Republic (CGR) identifies the institutions most affected at different times of the year and which were included in the emergency decree:
Ministry of Finance- Exfiltration and encryption of information, impact on the functionality of operating systems
Administrative Board of the Municipal Electric Service of Cartago (Jasec)- Encryption of information and affectation to computer systems
Radiográfica Costarricense- Exfiltration of information and affectation of computer services
Ministry of Science, Technology and Telecommunications- Modifications to the website and affectation of computer systems
Ministry of Health- Compromised information from civil servants
Ministry of Labor and Social Security- Exfiltration and encryption of information, impact on the functionality of operating systems
National Meteorological Institute- Exfiltration of information and affectation of computer services
Interuniversity Headquarters of Alajuela- Exfiltration of information and affectation of computer services
San Juan de Dios Hospital- Files and hacking as a cyberattack
Attack on the Caja: Everyone was affected
The attack on May 31st, 2022 deserves special mention, already with the new government authorities, against the Costa Rican Social Security Fund. This fact was described by the institution as “extremely violent”.
The alert came early that Tuesday morning, when printers from different medical centers read messages from those responsible indicating how to recover the systems. Machines that began to work on their own, according to officials in different hospitals such as San Vicente de Paul in Heredia, Enrique Baltodano in Liberia and others in San José.
The Comptroller General of the Republic reported in its recent report that social security was the victim of an attack in different stages. First, it consisted of the theft of social network credentials, and then attacks on databases, exfiltration of information and affectation of computer systems. The attack forced the Fund to download critical systems such as the Single Health File (EDUS), which paralyzed, in many cases, the scheduling of appointments and monitoring of patients electronically, at least until September.
On the first day alone, more than 500 appointments were cancelled, and since then, some complex procedures have been indefinitely suspended. The problem was the lack of critical patient information that was electronically available, such as exams, x-rays, and medical records. The staff had to apply contingency plans to resume care, if possible. They had to go back to the past and retake the files on sheets and manual records, which the new generations of officials were not used to or even knew about. The Centralized Collection System (Sicere) was also affected, so it was necessary to extend terms and enable other forms of payment for employers and independent workers to comply with the May obligations before the CCSS.
On June 1st, the executive president at that moment, Álvaro Ramos, reported at a press conference that the impact of the attack was greater than announced. He also ordered the opening of an investigation for possible negligence. It was identified that less than 15 computers in the Fund had protection software installed that had been donated by the Spanish government when the attack on the Treasury occurred, just over a month before the attack on the CCSS. At that time, the previous government and the current one ordered a series of measures to reinforce the electronic security of the institutions, anticipating, as it happened, new hacking attempts.
Those responsible for the cyber attack
The cyberattacks on Costa Rica were perpetrated by 2 well-known organizations. The reasons are still not entirely clear but, according to experts, they can range from political reasons, such as Costa Rica’s diplomatic support for Ukraine in last year’s war against Russia, to the country’s high vulnerability to this modern type of crime.
The mode of operation is the same as the one used in other countries or against private companies around the world: access, steal information, have it under control and collect large sums of money. The Conti group was responsible for hacking into the Treasury and most other affected entities. This is how they recognized it from the first moment in the messages shared on the deep web. This is an organization of Russian origin, well constituted and of vast experience, with ramifications all over the world. Its mode of operation is ransomware attacks; that is, the theft of files and information from a server to later extort and collect ransoms in exchange for all that material.
Conti’s permanent members receive between US$1,500 and US$2,000 a month, plus additional amounts for ransoms. They constantly recruit new staff due to high turnover and do so through legal job boards or pirate sites. The FBI linked Conti to more than 1,000 victims all this year. In the case of Costa Rica, this US police organization offered a reward in exchange for information on those responsible.
In the same 2022, it was reported that Conti would close operations due to the actions taken in North America against the group. However, its members would migrate to other smaller organizations but always dedicated to cyberattacks. This is the case of Hive, a group that emerged in 2021 and whose goal is to affect companies and institutions related to the health sector. They were responsible for hacking the Costa Rican Social Security Fund.
In December of last year, this group revealed that they had attacked almost 400 health organizations, most of them in the United States, of which 104 paid a ransom in exchange for recovering the information. This organization, bolstered by Conti’s staff and expertise, has also been linked to attacks on Asian universities conducting life sciences research.
Due to the way in which both organizations operate, it is suspected that they may receive help from the countries attacked. For this reason, President Chaves denounced in mid-May that they were investigating the possible participation of Costa Ricans in the attacks of this 2022. These investigations are carried out by judicial and intelligence authorities, with the collaboration of other countries.
In permanent risk
Cyberattacks can continue and the risk for Costa Rica is permanent. This is the warning from the experts and one of the reasons they cite is the vulnerability and little preparation in the country. For example, on October 11th, 2022, the new victim was the municipality of Belén, which reported theft of information. The Comptroller’s Office published a report in December, almost 2 months later, indicating that this local government was still in the process of recovery. They had not yet been able to generate the bills for water, garbage collection, road cleaning, and park maintenance for October and November.
The control entity in this same report from the end of November pointed out a series of deficiencies in the attention to this emergency. Among them, he points out the little coordination of the Ministry of Science and Technology with the National Emergency Commission in the execution of the care plan and the executive decree. In addition, the document affirms that the group of experts created by the current government to deal with these incidents stopped meeting, and that the country does not have the technical capacity in human resources to reinforce the prevention of these incidents. Carlos Enrique Alvarado, Minister of the Micitt, announced the emergency declaration on May 16th, 2022 due to the cyberattacks perpetrated.
The Costa Rican government response
On November 29th, 2022, the Ministry of Science and Technology reported on the sending of an explanatory note to the Comptroller’s Office related to the conclusions of this report. The director of Digital Governance of the Micitt, Paula Brenes, said that the actions that the ministry carried out before the Civil Service to generate the profiles of technical personnel specialized in cybersecurity and that are necessary in each institution, according to their own budget, were omitted. “Since November 16th, there are already 12 people to attend to incidents 24/7”, adds the officer, in addition to highlighting that they have additional monitoring and attack detection tools. “The report also omits that, together with the European Union and the OAS, a vulnerability study was carried out in 17 institutions that provide critical services, and regarding the analysis room, it is clarified that they meet every 15 days, on Wednesdays”, says Brenes.
The Micitt defends itself and says that they maintain strict communication with the CNE to execute the signed emergency decree and that they comply with the times and processes of public procurement. The technology lead ministry adds that more than 1,000 officials received specialized training in at least 15 workshops and that, with current tools and more than 734,000 alerts have been addressed in 165 institutions since May.
The Ministry of Science and Technology agrees with the experts on the need for greater investment in cybersecurity with equipment and personnel. Although they are the advisors and rectors on the matter, from the Micitt they clarify that each of the state, central and local government institutions must adjust their budgets, training and hiring of personnel to their protection needs.
Experts in the field point out that what happened with government entities is a lesson for everyone at any level. Private companies must also strengthen their security mechanisms and citizens must pay attention to their handling of personal information. Criminals on the web are lurking and waiting for the slightest slip.