Wave of Attacks Against Costa Rica!
Conti
—the gang we had said
is supporting Russia in cyberwar
and had suffered a significant breach of its internal chats—
attacked some computer systems of the government of Costa Rica
last week.
Being a ransomware attack,
Conti asked for 10M dollars.
But the current president,
Carlos Alvarado,
said that the Costa Rican state would pay nothing!
Now from different fronts,
the cyberattacks continue in a worrying expansion,
even reaching private firms.
Timeline of events to date
On April 17,
Conti began posting on its .onion.ly News channel
about the hacking of Costa Rica’s Ministerio de Hacienda.
Apparently,
these cybercriminals downloaded 1 TB
from their portal hacienda.go.cr
along with internal documents
to be made public on the 23rd of this month.
(At the time of writing this post,
that governmental website is out of service.)
The next day,
they requested the aforementioned amount of money,
suggesting the ministry pay it
to keep their taxpayers’ data.
To make things worse,
Conti later noted that
they had additionally compromised the Ministerio de Ciencia,
Innovación, Tecnología y Telecomunicaciones (MICITT) website.
(micitt.go.cr
is also out of service
at the time of this writing.
This and the previous deactivation are said
to have been preventive measures.)
And in a section of that website,
they left this message:
“We say hello from conti,
look for us on your network.”
On April 19,
the gang threatened to continue attacking Costa Rican ministries
until it received its money.
The same day,
the Ministerio de Hacienda began to alert the citizens
about the actions of unscrupulous people
who were masquerading as ministry workers
asking some of them to reset their passwords.
It also provided telephone numbers
that the citizens could use to inform authorities
in case of receiving messages or calls of dubious origin.
Then,
without waiting for the earlier imposed deadline,
Conti allegedly began to publish
internal Costa Rican government documents,
offering four links
to .rar/.zip files.
Moreover,
materializing its threat,
Conti stated
having stolen information
from the Instituto Meteorológico Nacional
and the Radiográfica Costarricense’s email servers.
And concluded its message
with an unsettling remark:
“The costa rica scenario is a beta version
of a global cyber attack on an entire country.”
On April 20,
Conti continued with the publication of private data.
It revealed a total of 15.08 GB,
reaching 39.77 GB the following day.
At that time,
the Journalist Carlos Cordero
for Costa Rica’s El Financiero
described the government’s response to the situation
as weak and erratic.
Different sectors were already demanding clarity
on the affected data and contingency plans.
But the government was still hiding
behind the investigation process.
On April 21,
Conti included the Fondo de Desarrollo Social y Asignaciones Familiares
and the Ministerio de Trabajo y Seguridad Social
to its list of victims.
According to another report by Cordero,
a year ago,
Costa Rica’s institutions suffered 819 attacks a week.
Last week,
after Conti’s onslaught began,
that number reached 1,468.
Multiple attackers have targeted the websites of organizations
in this country
to exploit their vulnerabilities.
In addition,
as Cordero pointed out,
they have taken advantage of the low IT security culture
in Costa Rica.
The attacks,
especially on the Ministerio de Hacienda,
had already affected the declaration and payment of taxes,
as well as Costa Rica’s import and export operations.
(Exporters’ unions were already estimating losses
of hundreds of millions
“due to the bottlenecks
caused by […] outages
related to the disruption of the tax and customs platforms.”)
The government,
for its part,
as Cordero communicated,
presented a guideline with basic actions
such as modifying passwords,
updating systems,
deactivating unnecessary services and ports,
and monitoring computer networks.
However,
these are recommendations to follow from the beginning,
from a preventive point of view,
not primarily to put out fires.
By April 21,
the government showed no signs of wanting to pay Conti.
From there,
the criminals had to move on to offer a discount:
Image taken from BetterCyber’s Twitter account.
Nevertheless,
President Alvarado
—nearing the end of his term—
was emphatic in his Twitter video,
saying they would not pay anything.
According to his criteria,
this attack is not a money issue,
but seeks to threaten the country’s stability
at a transitional juncture.
He asserted that
the government was rigorously and thoughtfully dealing
with this incident.
They even signed a directive
supposedly to strengthen security measures
in public sector institutions.
Meanwhile,
the total amount of shared data reached 43.89 GB.
Although Conti spoke of compressed databases
that, once unpacked, would correspond to 853 GB.
They offered it to other malicious hackers
(curiously their “colleagues from Costa Rica”)
as an ideal material for phishing and,
consequently,
to make a profit.
Subsequently,
as Cordero stated on April 22,
at least in the 100 institutions
that adopted security measures since the beginning of the week,
almost 165,000 hacking attempts were detected.
Worryingly,
more than 200 institutions had yet to take cybersecurity measures
at that time.
That same day,
President-elect Rodrigo Chaves expressed his concern
about cyberattacks and their consequences
on the functioning of the institutions
and the payment of salaries.
The MICITT made it clear
how right and necessary it is to prioritize
and invest resources in
cybersecurity across the country.
And they insisted that
they were in control of the situation,
having blocked the attacks
to prevent their spread in affected and unaffected institutions.
However,
what happened next doesn’t seem to be faithful proof of that.
On April 23,
when Conti congratulated “Chavez”
on his victory,
flattered his country and people,
and invited him for a private chat,
the Junta Administrativa del Servicio Eléctrico de Cartago (JASEC)
was being a new victim
of theirs.
It seems that the servers used to manage JASEC’s website,
email and administrative and revenue systems were encrypted.
And although JASEC had to suspend the payment of bills temporarily,
it reported
that electricity and Internet services
for its thousands of users
were operating normally.
On April 24,
MICITT reported the detection of 201,000 hacking attempts
in the last 24 hours.
Then,
on April 25,
as the Costa Rican government’s refusal to pay was further solidified,
Conti began talking about lashing out at large companies in this nation
that will be forced to pay:
Image taken from Conti’s site
on April 26.
“We will show you all your vulnerabilities.”
The security vulnerabilities are something
that these threat actors continue
to take advantage of.
One firm affected a few days ago
was Aeropost.
The data of approximately 5% of their clients
in the region (i.e., not only in Costa Rica)
were compromised.
Yesterday,
April 26,
two more institutions were added to the list of Conti’s victims:
the Sede Interuniversitaria de Alajuela
and the Instituto de Desarrollo Rural.
Today,
to add insult to injury,
Conti seems to have extended their assaults to Peru.
How many more affected organizations
will emerge in the coming days?
We have no idea.
What is clear to us
at Fluid Attacks
is that prevention is key.
Contact
one of our consultants,
and find out how our ethical hackers
can stay ahead of malicious hackers,
identify your security vulnerabilities before they do,
and help you protect your systems.
*** This is a Security Bloggers Network syndicated blog from Fluid Attacks RSS Feed authored by Felipe Ruiz. Read the original post at: https://fluidattacks.com/blog/conti-gang-attacked-costa-rica/
