Hacked - The Storm
Episode Date: June 1, 2022The story of the hack that's brought Costa Rica's government to a standstill. Learn more about your ad choices. Visit podcastchoices.com/adchoices...
Transcript
Discussion (0)
So the Costa Rican government got hacked.
Not one department, not one website, pretty much the whole thing.
Shut down by a ransomware attack.
And not that there's ever a great time for an unprecedented cybersecurity breach of a nation's entire government,
but the timing on this one was extra bad.
As it took place right as a new president, Rodrigo Chavez, a former finance minister, was sworn into office.
one of his first measures signing a law declaring a national emergency,
usually reserved for natural disasters for this hack.
Usually reserved for the second week in power.
Normally you've got to wait like 10 days before you drop one of these.
Now for this hack that had essentially shut down the government.
To turn it back on, the hackers, a group called Conti,
wanted $10 million for the decryption keys.
But this is different than most ransomware attacks,
not just because it's a government, which Conti and other groups have done before,
and not just because they really truly managed to shut down the government,
which would itself be novel.
This one's different because of why this all happened.
And what Conti did when Costa Rica refused to pay,
which is to suggest that if Costa Rica's government wouldn't pay the fee
to decrypt these files and turn back on the government,
while the Costa Rican people should just overthrow them.
Staging a coup as a ransomware negotiation strategy,
That is new, and attention-grabbing.
And slowly, it started to become clear that the attention-grabbing
is maybe the point.
More than the money, more than staging a ransomware revolution,
it's starting to look like maybe this is specifically about the attention,
about distracting the world while Conti transformed into something new.
So we called up Leon Weinstock,
the director of the Costa Rica office of the law.
from BLP and a specialist in data and privacy protection law to talk about the legal and political
fallout of all this.
And importantly, why you would hack a country here on Hacked.
For the Laws.
When you first bumped into this story, was your sense they did this for the lulls?
Yeah, it was like the first thing because it was like they were demanding like X million dollars.
They had taken over like a bunch of like serious government services.
and then like this was right when it was happening like day zero and then they were just like
yeah you know what maybe we want the government out of power it's like and it just like seemed like
they were like we got enough money from doing this to other people like now we want to cause social
revolution like just because you know that's a cool thing to have done in your life yeah maybe just
sort of casually staging a coup is what we feel like doing on Tuesday so forget the money let's just
go with the coup
Exactly. At least that's how it came across initially. It was like, you know, hey, if you don't pay, that's fine. We're just going to get you thrown out of power by, like, destroying the government. And it was like, okay, like, why not?
When I think at first, that was sort of intentional, and it's just gotten weirder from there.
So it is difficult at this time to know all the consequences. It is being said that they may last for several months or years.
So my first question for Leon was basically like birds eye view how bad has this been?
Right now the all the consequences are not known or have not happened yet because for example in customs
there it is getting slower to export or import products. It being said that the government
will be able to collect less taxes.
Also, there isn't a lot of information of what information is really compromised
and or if the government will be able to restore the information.
There isn't any formal communication right now,
although that we have our speculation.
So the hack took place in April, April 12th,
and it basically shut down Costa Rica systems for collecting taxes.
There are systems for paying pensions.
And importantly, as we've been discussing,
a lot of the systems overseeing their exports and imports process and for paying government employees.
To date, the finance and labor ministries still can't access any kind of computer systems.
The timeline here is interesting.
April 12th, Carlos Alvarado Casada, the former president, was still in power.
And it wasn't until after May 8 when Rodrigo Chavez takes over when he says,
okay, I'm going to declare this state of emergency.
And this story kind of starts to go public.
Also, there was an emergency declaration in Costa Rica.
We have a law for emergencies that usually it has been used for, for example, a natural emergency,
earthquakes, a lot of rain or order that this allows the government to refrain from
complying with some formal procedures and to obtain budget for, for,
from other purposes or to make faster procedures.
So this was the first emergency iteration for a cyber attack.
One quick clarification.
So the attack had begun under the old president.
And it was kind of like, here's the keys to the car,
sorry about its condition.
And like exit stage left.
Like that's kind of what happened.
Like, oh, by the way, the government's under a crazy information security attack.
It looks like that.
And have fun.
Enjoy.
Wow.
So the Costa Rica hack is a double extortion hack, which we've talked about before,
where they want payment not just to decrypt the encrypted systems,
but then a second payment to not leak the data publicly.
What it is true that we can say right now is that they have more than one month
without the information and they have not been able to restore the information under that system.
It's interesting since Costa Rica happened in April.
and this story went public, Conti, the gang,
has actually gone on to hack another country, Peru,
but that hack is useful in that it reveals what's novel about this one.
In Peru and most other nation-state hacks,
the gang hasn't been able to block access
to those core essential systems for any super long period of time.
They haven't been double extortion schemes.
They're mostly just pay us or will leak this information.
Costa Rica is pretty unique because they've truly shut down access
to government systems for well over a month now.
However, the difference or the main difference, for example,
between Costa Rica and Peru is that, for example, in Peru,
they were not able to block the systems.
As far as I know, they were only able to obtain information,
and they were requesting a payment to refrain from discovering the information.
but they have not blocked the systems.
So this is like the main consequence in Costa Rica.
So Peru kept operating kind of as is.
Like they restored from backup and kept moving ahead
dealing with like the crisis on the side of their desk.
Is that kind of the vibe?
Yeah, the damage in Peru.
I haven't read as much about that one,
but what I've read is that it's not nearly as bad
as what's happening in Costa Rica.
The thing that's unique about Costa Rica in a lot of ways
is just how rough this is turning out to be.
So April 12th, Costa Rica gets hacked.
May 8th, the new president takes over and says,
hey, this situation's pretty bad.
We're going to need some kind of legal authority to do something here.
I'm declaring this national emergency.
So I asked Leon, why would you do that?
And as he explained it,
it kind of comes down to the laws surrounding negotiating
with a ransomware hacker as a government.
If your stuff gets hacked,
you can choose to pay or to not pay.
If you're the CEO of a big corporation, you can choose whether or not to write that check.
Whether you should, interesting question, but the choice is still yours.
But if you're a person working in the government, it's legally very difficult to pay that ransom
even if you wanted to.
You can't really spend that much money without a corresponding line item in a budget.
And when that line item is for ransom for decryption keys, we have zero guarantee.
he will actually ever get, it gets even more complicated.
Leon, again, a lawyer explained to me that there haven't really been any negotiations with Conti
because negotiating with Conti would be an actual crime.
And to be honest, as far as I know, I don't know if there were some
backdoor negotiations, but as far as I know and I have heard,
there have not been any negotiation with Conti because also for the government to proceed with
a payment it's almost impossible because the laws here require a budget and you have to proceed
with a formal payment it's not like you can proceed with a payment to a grant like this or a criminal
organization so negotiations have not even started as far as I have been publicly known
let's assume that you find the budget you will be receiving an invoice you will sign an
agreement you will how you how you are sure that you are going to receive the
keys from the payment all those aspects that usually are being discussed when that you are
negotiation negotiating with a cyber criminal in a cyber attack all those aspects when you are a public
government it are much more difficult to solve because at the end if it's a private company
if you see okay thank you for the information I assume there is but for the president to say that
that may be considered a crime for the president to authorize this payment
So any president will sign any payment that may get him into jail.
So since April, the state is somewhere between refusing and incapable of negotiating with Conti,
which is when Conti decides, okay, we're going to ratchet up the pressure in this very public, very attention-grabbing way.
First, they start dropping leaks, this big 672 gigabyte file on the dark web.
But importantly, and this is kind of when we found this story, they make these first,
posts. These posts starting to threaten to delete the decryption keys paired with this very
unique threat. The first one goes, we appeal to every resident of Costa Rica to go to your
government and organize rallies so that they would pay us as soon as possible. And if your current
government cannot stabilize the situation, maybe it's worth changing it. And that provocative
idea of if they won't pay us, maybe you overthrow them sparks the first wave of media
coverage. Then it was followed by another post on May 17th where they really drive the point home.
They write, quote, we are determined to overthrow the government by means of a cyber attack.
That gets more coverage. They see it's working. They do another one.
I once again appeal to the residents of Costa Rica to go out on the street and demand payment.
If they won't negotiate with us, overthrow them. But here's what's like pretty interesting about
that. In the weeks following that first May 8th announcement,
Conti starts really upping the pressure.
But even as they're doing that, again, there's no evidence that they're negotiating in any way with the Costa Rican government.
Even as they're making increasingly public calls for the people of Costa Rica to overthrow that government, they're not talking to the government.
So Conti has publicly posted that they've requested $10 million for the decryption keys that would basically turn Costa Rica back on.
And I was curious for Leon's opinion on this, like $10 million in the context of this,
isn't that much money, right?
Well, you imagine just,
imagine paying a bunch of public servants
to do nothing for a month
and then paying them all to catch up
for all the work that wasn't done in that month.
$10 million would be like a steal of a deal
in most countries anyway.
It would be in Costa Rica as well,
which makes you wonder,
is this really about the money?
I'm not sure if this was ever for the money,
because unfortunately the damages for Costa Rica right now have been much more higher than 10 million.
So if there was 5, 10, 15, 100, the situation will be the same.
So I'm not sure about the what the expectation of this case because also the security measures in Costa Rica from the central
government were very very low so it was not so difficult attack for funding but also it is known that
for a government like in cost of reconstruction would be impossible to pay so to be honest to know the
purposes of the attack it's real difficult so some news have said that it was like a decoy
So this is like a
Like a sandbox almost
Like they're just trying to bait them into
Paying the 10 million so that they're in violation of some law
And gets them thrown out of power and put in jail
Oh interesting
Some long like con
A long con
It's a long con
It's not that long con
But that's an interesting long con
That brings us pretty well back to Conti
We're not going to do a deep dive into who Conti is
That would be its own whole thing
But what you need to know is that
Conti is something between a strain of ransomware and a ransomware gang that uses this
specific software product they've developed.
They are a very big fish in the world of private Russian cybercrime gangs.
There was some early speculation when this all started that because Costa Rica had aligned
itself with Ukraine that in the context of that war, maybe this was a political gesture,
any friend of our enemies is our enemy type thing.
But it looks like that's probably not it.
In 2021, Conti extorted 100 million bucks from the victims, making them one of the bigger
ransomware gangs on the world.
But it's when they really publicly backed the Russian invasion of Ukraine that things started
to actually kind of get messier for Conti.
At the start of this year, Conti published a post on their website, supporting the Russian invasion.
Anyone who opposes it opposes Conti, we are on the side of this war.
Which in retrospect, it's kind of a pretty big mistake for Conti.
and would go on to have really huge implications for Costa Rica.
Because a month later, in response to this support of the war on February 28, someone hacked Conti.
A revenge hacking.
An anonymous Twitter account called Conti leaks released more than 60,000 chat messages between different members of the gang.
They released their source code for the Conti ransomware, internal documents, their org chart.
All of this gets published publicly.
It was one of the largest leaks of a cybercrime gang ever, accompanying this big leak, three words, glory to Ukraine.
And suddenly, the world has a really, really good look at how Conti was organizing itself, how it worked, and its political and economic goals.
Suddenly, this group that was really good at hanging out in the shadows had a huge spotlight shining on top of it.
And for the first time, we got a great look at how one of these huge gangs really operate.
Conti has an HR department.
It has administrators, it has coders and researchers,
it has best practices and policies for how hackers should access their source code.
It has basically a CEO, this guy code named Stern.
The exact number of membership ebbs and flows over time,
but it's about 100 people,
and they earned about 180 million in revenue last year.
Like a proper organized crime syndicate.
With this very popular product, this ransomware strain that bears their name.
But it starts to become clear over the last few weeks
that announcing their support for the Russian invasion of Ukraine was kind of a miscalculation.
First, it led to them getting hacked, leaked, and exposed.
Then the U.S. placed a $15 million bounty on the kind of top brass of Conti folks like Stern.
And that's all happening right as Russia's seemingly endless support for these groups was starting to get kind of iffy.
We talked about this in the Our Evil episode.
Russia used to turn a blind eye to the private hacking gangs inside of Russia,
as long as those gangs didn't target Russians.
But following the start of that war,
that sort of implicit immunity hasn't quite been so steadfast.
Russia's proven willing to arrest Russian cybercriminals
if they get too much attention on them,
which Conti had.
And suddenly this big apex predator was starting to look like prey.
Their brand had become toxic.
So what they're most vulnerable,
this infamous international hacking game
goes off and pulls off this unprecedented shutdown
of a foreign country, Costa Rica.
And they're making just a ton of noise about it,
pushing for these negotiations
that they know won't happen,
earning a ton of press by calling for people
to topple the state if the state doesn't pay
which it can't.
Which Leon again pointed out was never going to work.
I don't think that there was a political dimension of this
because we are proud and it's true that the Costa Rica democratic system is very strong
to take down a government in Costa Rica has not happened in 80 years, more or less or more.
We thankfully have a very strong democratic system, so I think that that was a pressure strategy.
Conti has essentially engineered a press spectacle with this ransomware attack
more than an opportunity to make profit,
right as they're at their most vulnerable,
which raises the question of why.
And then, 10 days ago,
it's looking like we got an answer to that.
Do tell.
Right after the break.
Think about the last time you heard a breach story on this show.
It always starts the same way.
Someone somewhere saw something too late,
an alert buried, a signal missed,
an SOC that just couldn't keep up.
Arctic Wolf set out to solve that problem
by rebuilding security operations from the ground up
for a world where attackers are already using AI.
They created the Aurora Super Intelligence Platform,
a fully agenic system powered by the swarm of experts.
Instead of single-purpose bots or lucky-guess LLMs,
this swarm is full of deterministic agents
that handle whole entire workflows.
Humans stay in the loop and on the loop
to validate the critical decisions
and keep everything trustworthy,
and all of this is just off running on,
their secure operations graph.
A constantly updating intelligence engine fueled by more than nine trillion telemetry events
every week and over a decade of real world incident response.
The system reasons on real signals and real context not synthetic training data.
And the result is the new Aurora agent SOC.
It's the first SOC that is agent led by design.
You get agents that coordinate, agents that investigate, agents that respond at machine speed,
and hundreds more that automate the repetitive work that normally buries human analysts.
Arctic Wolf didn't try and bolt AI onto an old model.
They rebuilt the model entirely.
What makes it even more effective is how it works with Arctic Wolf's concierge experience.
The team brings customer-specific context directly into the platform so every AI-driven
decision reflects your environment instead of generic assumptions.
The automation frees your concierge security team to focus on higher value strategy and proactive
risk reductions while the agents handle the grind.
If you want to see what trustworthy production-ready AI
security operations actually looks like, go to arctic wolf.com slash hacked.
Never feel like cyber threats are evolving faster than anyone can keep up?
Last year, 2025 was nothing short of a record-breaking year for major breaches,
from sophisticated ransomware operators to AI-enabled attacks that turn defenses on their
head.
Organizations around the world saw headlines they never expected and cybersecurity teams were
tested like never before, but here's the thing.
These incidents aren't just news headlines.
their learning opportunities. And that's why Arctic Wolf is hosting a live webinar on February
5th diving to the most impactful breaches of 2025. Their field CTO and security leaders are going to
unpack not just what happened, but why these attacks succeeded. And most importantly, what
businesses can do to fortify their defenses for it's too late. You're going to walk away with
real insights into how threat actors are evolving, how defenders are responding, and what strategies
can help you stay ahead of the next big breach. It's not fear mongering. It's practical, actionable,
intelligence from experts in the trenches.
Register now at arctic wolf.com slash hacked.
What a nightmare for the incoming president.
Oh, can you fucking imagine?
Like you take over and they're like, by the way.
FYI, here's the keys.
Also, the car is infested with malware.
See you.
Enjoy your new, your Toyota.
It's full of bees.
It's just hornets and bees all the way down.
I was like, when you were describing it,
I was like, I feel like if it is illegal to pay these guys and buy them out.
I feel like there's a conspiracy theory deep inside of there.
Being like the outgoing president who didn't want to lose, you know, set the plant for this.
Sure.
And now the new incoming president either has the option of shutting down the government
or being thrown from power for turning the government back on.
It's like what a lovely, what a lovely situation to find yourself in on the first day of office.
Oh, yeah.
And you'll know if, you'll know if the next guy committed a crime if everything works again.
Like you can, you can tell.
Yeah, that's very clever.
So there's a, there's a deep-seated, what's it called in there somewhere, conspiracy theory in there for the conspiracy theorists around about.
A conspiracy inside of this very good.
inspiratorial story.
Exactly.
It's a deeper level.
Yeah, there's a deeper level.
It's like we're three twists deep right now and you're like,
hold up, hold up, hold up.
What about a full level?
Let's go deeper.
So there's the cybersecurity firm called Advanced Intel and they kind of crack this whole thing
open.
Ten days ago they publish a post with some news about Conti.
News about this gang right as they're in the middle of this nation state scale hack.
The Conti ransomware game,
has shut down.
Their operation is down, their infrastructure is taken offline,
and team leaders are telling people this brand, the Conti, is no more.
The question is like, why would you hack Costa Rica right in the middle of all that?
Because we know it's not about the money because these negotiations are illegal.
And we can be pretty confident it wasn't to topple the government.
So why would you do all this damage if you're just going to shut down anyway?
In an interview with bleeping,
computer, one of the main researchers at Advanced Intel, Yusili Bukoslovsky, told him his theory,
and I think it's a pretty good one, which is that Conti conducted this very public attack to create
a facade of this really thriving, ambitious operation while all the membership snuck off
to other smaller ransomware operations. Operations without multi-million dollar bounties on their
heads without giant embarrassing leaks and huge spotlights beaming down on them.
To quote you silly the researcher, the only goal Conti had wanted to meet with this final attack
was to use this platform as a tool of publicity, performing their own death and rebirth
in the most plausible way it could have been conceived.
The agenda to conduct the attack on Costa Rica for the purpose of publicity instead of ransom
was declared internally by the Conti leadership.
The number they wanted was made up, the negotiation,
weren't real, the purpose of the hack was a lie.
It was a publicity stunt to distract the world where they ran off.
So where does that leave the players in all this?
First, we've got, you know, Conti.
Bogoslovsky told Believing Computer that instead of rebranding as another large
ransomware operation, the leadership had instead made partnerships with a bunch of smaller
ransomware gangs who they would sort of transition all their teams to to then keep
conducting attacks.
Smaller ransomware gangs get a bunch of really experienced Conti pen testers, negotiators, and operators.
The Conti group gets a bunch of mobility and a bunch of kind of evasive space to maneuver against law enforcement by splitting into these smaller sales.
They basically shove off this big toxic brand name.
The gangs get new talent.
Everyone in that community wins.
And then there's the other half of this, Costa Rica, who, you know,
unilaterally loses in this situation.
There's no one really for Costa Rica to negotiate with anymore.
Even if the new president's emergency measures gave them some kind of legal authority to do so,
those decryption keys are probably gone, like lost in this chaos,
behind which sits access to the entire government's back end.
Leon pointed out to me that even if they could turn these systems back on,
they're now months out of date and need to be basically rebuilt.
this will have to be rebuilt again because it has passed a lot of time right now there will be another
monthly declaration of the b a the beginning of june it is clear that this will continue the same
and this will be very very difficult to restore because as time passes you also let's say that you can recover
information as of April 18.
But right now you have to reveal one month and a half.
It will be almost two months.
And as time goes, it keeps going.
It may be more difficult to rebuild those information.
We are not talking about two invoices per day.
We're talking about a lot of information.
Well, could you imagine trying to do taxes without the system that manages taxes?
Like, imagine there's like big paper registers being filled out right now to track, because the government still needs revenue.
I'm imagining they've got some emergency like funds coming in from the IMF or something to help deal with this.
But like at the same time, it's like I could even imagine trying to reconcile national taxes back into a data system and expect the data to go in cleanly.
It's a surprise that it even works when it's all functioning,
that alone trying to rebuild it off of whatever they're doing,
spreadsheets or paper registers or however they're,
whatever Band-Aid solution that they've spun up to help deal with it.
So really all you can do is rebuild.
Yeah.
And Leon doesn't think they're likely to get those keys.
He wishes they would, obviously.
But seeing what's happened to Conti,
he doesn't think it's super likely.
Given that we are in the middle of the storm, of Conti's storm,
it will be difficult to estimate what would happen because of written murder.
It's not that they will, okay, we are separating, okay,
I will give you the keys to establish your information that will not happen.
It's almost like what's the harm now, you know?
Yeah.
If Conti's mostly gone, somebody must have.
have the keys, you know, they didn't throw them away, you know, like they're sitting on somebody's
thumb drive. Like, you assume selfish greed would take over at some point, and somebody who has
possession of them would just be like, yeah, 10 million, sure, here it go. Like, who doesn't
want 10 million dollars for something that's sitting on their thumb drive? Like, I just assume
greed would solve this problem. They're wrapped up by talking about what this is probably going to
mean for Costa Rica moving forward.
This was a publicity stunt for Conti, but it has been the exact opposite for Costa Rica.
They have been identified as a victim of a cyber attack.
They have been identified as being vulnerable in news story after news story as being kind of this first,
a whole nation declaring a national emergency for a cyber attack.
It is a bad look that makes them look like a really good target.
So they have to rebuild.
But now they have to rebuild way stronger than they were before because now they have a
reputation as being vulnerable. So if they don't, this is probably going to happen again.
So this was the first emergency iteration for a cyber attack or for a non-natural disaster.
And this may give the more flexibility to solve the situation and also to build a stronger
system because at the end, if we can put in place all the information for this situation,
attack, unfortunately, we have been in the news all over the world, and we are right now being
known as the system that lack a lot of security measures. So if we establish the system,
but we do not improve all the missing points of the security standard that we have, we
for sure may receive another attack. So this is very important.
this is a shot across the bow at I think most major governments like the data is inherently vulnerable
like you can implement systems and duplications and hot sites and millions of ways millions of dollars
worth of ways to try and make sure that your data stays good but like you know tape backups
classic put it on a tape put that tape in a safe can't can't get to that but the uh
You know, seeing a nation be crippled so quickly by pretty, like, I don't want to say it's basic malware, but, you know, malware that harasses my auntie.
Yeah.
Similar, similar data systems that harass, like, you know, laymen, and they're, like, you know, family photos to, like, shut down a nation and turn off of its, it's, like, financial systems.
Like, that's a big deal.
So I think there's probably the CIA and CSO of every major government, or every government probably read those news articles on day zero and probably went, oh, like, thank God this isn't us.
We've heard about it.
Heard about it happening in the hospitals, police services, intelligence associations and agencies.
You know, it's, I don't know, the more we lean on it, the more vulnerable it becomes.
comes, you know.
Leon's hopeful that they're going to be able to rebuild.
He's hopeful that this kind of an extreme situation is an opportunity to get their,
you know, cyber security house in order to, you know, sort of transform themselves like Conteas
from being a target into being like too much trouble to target.
And like you said, it's probably a really good lesson for the rest of the world.
If what this story tells us is that these independent groups have reached a level of like
power and capability where they can kind of just shut down a whole country just for the
publicity of it just to rebrand.
You gotta wonder what they're gonna do the next time one of them gets backed into a corner.
Thanks for listening, everybody, and thank you in particular to Leon for chatting with me for
this episode.
I appreciate your time and your insight, and I hope all this well.
If you like hacked, patreon.com slash hacked podcast, best way to support the show.
Thank you to our new patrons since the last episode, Sylvester, Mark Walsh, welcome to the crew.
It's patreon.com slash hacked podcast.
Thank you for listening.
That is another episode of Hacked in the Bucket.
Catch you again soon.