Costa Rica’s ministry of treasury hit by Conti Ransomware

[sGerli]

Summary

The digital systems of Costa Rica’s ministry of treasury “Ministerio de Hacienda” we’re hit on Monday by the Conti Ransomware. This took down all of the countries tax reporting and payment systems on tax pay day. The hackers claim to have obtained 1tb of data that might include financial data from all organizations that operate in the country.

The countries tax systems were digitalized and centralized a few years ago, so this data could include digital receipts for all reported transactions, and identifiable info from the parties involved in them, contact info, addresses and tax reports from all taxpayers.

After denying the attack all day the Minister admitted the attack during a live interview with the local tv news channel Noticias Repretel at the end of the day.  He confirmed that currently all systems are down and the ministry of treasury is assessing the situation and working in getting the systems back up.

 

Quotes

Quote

 Translated from spanish:

The treasury platforms ATV and TICa from the Ministry of Treasury (Ministerio de Hacienda) are currently out of service as it’s been confirmed by the ministry.

Early today information published by the Twitter account Better Cyber alerted that the ministries digital platforms had been attacked by a type of ransomware named Conti.

 

My thoughts

Cyber security and tech in general has always been an afterthought for government entities (specially here in CR).

The info that could be leaked from this attack is really sensitive as it could even include individual receipts. And during the live interview referenced in the summary, the Minister said that he doesn’t think of this as a real issue because he doesn’t consider any of this information as sensitive.

 

Sources

News articles (in spanish, sadly I couldn’t find one in english yet) https://www.crhoy.com/economia/presunto-hackeo-en-hacienda-plataformas-de-atv-y-tica-fuera-de-servicio/

(Interview) https://www.repretel.com/noticia/ministro-de-hacienda-advierte-que-no-pagaran-a-hackers/

 

News article in english: https://ticotimes.net/2022/04/19/costa-ricas-ministry-of-finance-website-was-hacked

Edited April 20, 2022 by sGerli
Added news article in english

[BiotechBen]

Biggest oof? A real foot in mouth event for CR govt. best of luck to you all. Hope it doesn't affect you guys too badly.

[sGerli]

A few updates as the situation has evolved:

• The Ministry of Science and Technology Micitt was also affected by the attack, and the hackers left a message in the website. After it was discovered the site was taken down.

Spoiler

• In a related attack the Twitter account of CR's Social Security entity CCSS was compromised and started twitting about a bitcoin giveaway. Since then the community managers have regained access to the account and have deleted the posts. 

 

Spoiler

 

[sGerli]

Tuesdays updates:

• The government has shut down the system in charge of paying public employees and all pensions (that were supposed to be paid tomorrow). They said that those would be paid once the systems are back up.
• The hackers claim that the government doesn’t have backups other than the ones they encrypted (which in my opinion could be possible). And they have started leaking data from the attack.

• The attacks have continues targeting governmental entities, the latest targets are the meteorologic institute and RACSA, a telecom and server infrastructure provider. Hackers claim to have access to RACSA’s email service (which is used by many people and small businesses in the country)
• The hackers claim to have access to many other government entities and even some private companies, and they said that they’ll continue the attack until the government pays the ransom. They have categorized the attack as a beta version of a global attack.

 

[CyanMan]

If they have financial data from all companies in the country would that include Intel?

Has Intel said anything?

[sGerli]

1 hour ago, CyanMan said:

If they have financial data from all companies in the country would that include Intel?

Has Intel said anything?

Yes they probably do have information that Intel has reported to them from all their imports and transactions. Apart from that this is probably impacting Intel’s operations (imports and exports) to some degree as customs has been closed for a few days as one of the systems that was attacked is the one that’s used for that.

 

I don’t think Intel has posted any statement and I don’t think they will unless they get involved in helping fix this whole situation. Or it escalates to a point where it really affects their whole business.

 

In other news the CCSS (social security) HR portal has been confirmed as compromised. And the US, Spain, and Israel governments just got involved in the situation to help where possible.

[sGerli]

Wednesdays update:

• More government institutions have been compromised, now also the Ministry of Labor and Social Security (MTSS) and the Social Development Fund and Family Allowances (FODESAF).
• It looks like most if not all of these government institutions had their servers in a datacenter run by RACSA that didn't had proper networking isolation between servers, that helped the ransomware to spread easily. 
• After the hackers offered a discount on their ransom the president published a statement saying that they wont pay the hackers anything.
• The hackers have started publishing large collections of sensitive data at an increasing pace.

[sGerli]

I have a few updates now that some weeks have passed since the incident:

• A few local governments were compromised (Garabito, Alajuela)
• The Ministry of Treasury hasn't been able to restore any of their critical services and has launched a completely new website. Which is giving some weight to reports that said that they allegedly didn't have any backups of their data.
• Those critical services have been restored using the old ways (paper and banks).
• On sunday the new president as one of his first official acts declared the country on state of emergency due to the cyberattacks.

News articles:

• The Washington Post: https://www.washingtonpost.com/politics/2022/05/10/costa-rica-shows-damage-ransomware-can-do-country/
• Time: https://time.com/6169890/cyber-attack-chaos-costa-rica/
• Reuters: https://www.reuters.com/world/americas/costa-ricas-alvarado-says-cyberattacks-seek-destabilize-country-government-2022-04-21/