Cyberattacks: a month after declaring a state of emergency, what is the situation in Costa Rica?

After locusts, pestilence, hailstorms, the death of the firstborn, are cyberattacks the new biblical plague? Far from religious imagery, this scourge has been hitting Costa Rica hard for almost three months. To the extent that, on May 11, shortly after his inauguration, the new president Rodrigo Chaves declared a state of national emergency, a first.

“Declaring a state of emergency has allowed us to concentrate the nation’s efforts on guaranteeing the lockdown, eradication and solving of the ransomware attacks” by the Conti criminal group, one of the main attackers, assured Raúl Rivera, Cyber & Intelligence Manager for Mastercard Costa Rica.

In fact, this declaration enabled the immediate reallocation of Covid-19 emergency funds to the fight against cyberattacks of an unprecedented scale. The first wave hit national systems on April 12, in particular social security and employment services, which were severely disrupted. They have since kept coming, in an increasingly violent fashion. On the 18^th, the Labor and Science Ministry, the National Institute of Meteorology and social security bodies, but especially the Ministry of Finance, were hit.

The hackers claim to have stolen close to a Terabyte of data from the latter. Income tax filing services for private individuals, as well as import-export management services, the country’s economic artery, make an attractive target for cybercriminals. They have requested the payment of a ten million dollar ransom, before doubling the amount and continuing attacks when the government refused to cooperate.

Large scale cyber blackmail

This is a brave position, considering that the crisis is costing Costa Rica the daily trifle of 38 million dollars. And the hackers are not letting up: on May 31, the Costa Rican Social Security Scheme was attacked once again, this time by the Russian ransomware group Hive. The institution explained that the ransomware infected 30 of the 1,500 government servers, which was enough to force it to take its systems offline.

“Beyond the impact on the availability of vital services to citizens, a cyberattack can […] affect a country’s financial stability, […] the protection of privacy, […] a country’s reputation and trustworthiness locally and abroad, […] compliance with laws and national and international regulations,” listed Raúl Rivera on inCyber’s mic.

To the extent that the consequences of these widespread attacks can be compared to a natural disaster? The Cyber & Intelligence Manager for Mastercard did not go that far, but he did leave the question open. In concrete terms, tax revenue is almost paralyzed, as are tariffs, for which civil servants must now fill out the forms manually. The wages of government agents are backlogged, and citizens can no longer access public services online.

“Attacks on social security systems could potentially compromise the timely treatment of patients suffering from urgent health problems,” also worried Raúl Rivera.

“A cyberattack can therefore have direct consequences on people’s lives in terms of public health, access to essential utilities like water, power, food, medicine, among other things, as well as the security of other social services like air traffic control and environmental controls,” he elaborated.

Wages, taxes and health hammered

The country suffered from a wide spectrum of a cyberattack’s dire consequences, and is struggling to resolve this situation despite the state of emergency. And with good reason. A few hours only after President Rodrigo Chaves’ bold declaration, the national committee for risk prevention and emergency management (CNE) of Costa Rica announced it had no roadmap, no strategy and no plan to deal with the crisis. A cold shower.

“Declaring a state of emergency could clearly be centered around anything that has an effect on a nation’s essential services. Currently, Costa Rica’s national cybersecurity plan has not yet integrated risk scenarios that take into account the declaration of essential services and possible courses of action for the nation’s cyber-resilience,” confirmed Raúl Rivera.

In 2012, the Ministry of Science, Innovation, Technology and Telecommunications (MICITT) did put together a national response team to deal with cybersecurity incidents (CSIRT). And, in 2017, the Costa Rican government officially drew up a national cybersecurity strategy, outlining the measures to take to defend the nation from cyberattacks. But it seems these decisions were never acted on, hence the current situation. Since then, the government has been doing its best to plug the gaps:

“In partnership with Israeli, American and Spanish governments, the Costa Rican government is working on a series of lockdown measures to control the extent of the impact these incidents have had,” explained our guest.

Measures taken while under pressure by cybercriminals who are continuing their attacks against the country’s infrastructure. Yet the government is already planning for the next phase: “A series of measures are being put together to prevent a similar situation from occurring in the future, taking into account technological aspects, processes and people tied to government services,” he added. His diagnosis is clear:

“I think one the main reasons these cyberattacks were allowed to happen is that we considered a nation’s cybersecurity as only having to do with technological aspects.”

In addition to the aforementioned declaration of essential services, Raúl Rivera insists on the need to work towards a “clear understanding of the associated cyber risks and the impact they can have on a country beyond the availability of services and the protection of privacy and personal data.”

Learning “cyber-hygiene”

He also deems it essential to “study the TTPs (tactics, techniques and procedures) used by these criminals in order to better prepare to deal with the advanced persistent threats (APTs) that we will continue to face on a global scale.” Beyond these necessary diagnostics, he insists on learning “cyber-hygiene” in public services, in particular when it comes to “separating work and personal spaces”.

“Most of these attacks are carried out using regular email services and other messaging applications, and people are not aware of the phishing campaigns led by cyber-attackers,” he emphasized.

The fact remains that the task ahead in Costa Rica is huge. The country is at square one in terms of strategic cybersecurity. And while a crash course in cyber risks is necessary, infrastructure, procedures and even legislation must be upgraded.

Indeed, Rodrigo Chaves spoke of cybercriminals and cyberterrorists. While the former are mentioned in Costa Rican law, the latter aren’t. Furthermore, the president has declared the country “at war”, which is unprecedented, considering Costa Rica abolished its army 70 years ago.

Beyond this national facet, which will have to find answers in due course, the case of Costa Rica, which was attacked by cybercriminals often residing in Russia, raises real international issues:

“Costa Rica is one of the countries that took part in the Budapest Convention’s initial project, yet this agreement does not provide the necessary tools to take legal action against individuals or groups based in parts of the world that are not parties to the agreement, which complicates legal matters on an international level,” regretted Raúl Rivera.

While cyberthreats continue to grow globally, the case of Costa Rica should serve as a warning not just to individual countries, but to the international community, as cybercrime indeed knows no borders.