A pair of ransomware attacks targeting the Costa Rican government in April and May crippled computer networks and brought essential services to a standstill, but a prominent U.S. credit ratings firm is saying the episodes actually demonstrate some of the inherent resilience of sovereign governments against such hacks.
The attacks — one carried out by Conti and another by Hive — did result in significant disruption to nearly a quarter of the Costa Rican economy, with impacts on healthcare, international trade and revenue collection. The Conti infection disabled online services offered by the Ministry of Finance, while the Hive attack a month later hit the Ministry of Social Security. Together, they temporarily prevented the government from collecting and verifying tax payments from businesses and individuals or custom fees, which combine to make up more than half of Costa Rican annual revenues.
The computer networks of dozens of other ministries were subsequently infected and a national emergency was declared in May by incoming President Rodrigo Chaves Robles shortly after he was sworn in.
Still, according to Moody’s, a bond credit ratings business that now regularly tracks the economic fallout from cyberattacks, the news headlines and surface damage done to Costa Rican IT infrastructure has overshadowed a more complex picture. Despite the initial disruptions and some lingering issues, the government charged with representing the small nation of five million has actually performed admirably in its response.
“The attacks were a major test of Costa Rica's cybersecurity systems and the institutional capacity to manage an event risk of this nature,” Moody’s analysts wrote in a brief Friday. “Even though the government was unable to prevent the attacks, it adopted ad-hoc solutions that appear to have been effective in confronting the problems that emerged from the cyberattacks.”
To be clear, the company is not claiming the country did not suffer real consequences, and the impact the attacks did to broad swaths of the government and economy are still being felt today.
All in all, the government estimated 27 different ministries were impacted by the attacks, with municipal governments and utilities also affected. Over the past two months, officials adopted a plan to fix and remediate those networks on “a ministry-by-ministry basis.” For example, the Finance Ministry reset its IT network and restored more than 3,000 computers from backups, and although some digital services for customs processing and access to healthcare patient data still remain offline, they have largely fixed the underlying issues affecting revenue collection.
But the Costa Rican government’s overall response — and its ability to continue delivering most vital services in the wake of the massive cyberattack that shut down much of its IT infrastructure — underscores how federal, sovereign governments may be better positioned than other entities to withstand and recover from ransomware attacks.
“The government's ability to continue to operate even without key digital services is aligned with our …assessment of institutions and governance strength, showing that the sovereign has been somewhat resilient to the cyberattacks,” Moody’s wrote. “That said, the country still faces difficulties navigating an environment in which some digital government services have not been fully restored.”
This was also impressive because the attacks happened right after the nation held its presidential election, which brought Robles to power, and analysts have said it is likely the attack was timed to take advantage of the government’s disorganization during the transition between Robles and his predecessor, Carlos Alvarado. After the government reportedly refused to pay the $10 million ransom, Conti operators raised their demands to $20 million and further threatened that their intent was to overthrow the government, claiming they were working with insiders.
While this was perhaps done to instill fear among officials and within the local population, the opposite happened. The public rallied around the government and pushed them not to give in to the group’s demands, something that cleared the way for a robust and unified strategy around remediation.
Not all governments are as resilient. Local governments in the United States have been pummeled by ransomware over the past few years, and the FBI rates them as the second most likely victims of ransomware after schools. The difference might be in the word “sovereign” used by Moody’s, indicating that federal or national governments tend to have both the financial resources and strong national or policy interests in standing up to ransomware groups.
This tracks with the U.S. experience; when asked why federal agencies tend not to report being infected with ransomware, an official from the Cybersecurity and Infrastructure Security Agency told SC Media last year that it was largely because ransomware actors know those agencies “will never pay” and a successful infection would result in heightened scrutiny from law enforcement, the way that groups like DarkSide were pushed underground or forced to rebrand in the wake of the Colonial Pipeline hack.