Business Continuity Management / Disaster Recovery , Critical Infrastructure Security , Cybercrime
Conti Claims It Has 'Insiders' in Costa Rican Government
Ransomware Group Continues to Demand Ransom Payment From Besieged GovernmentRansomware group Conti, which has been holding to ransom crypto-locked Costa Rican government systems since April, has claimed on its leak site Conti News that it has "insiders" in the country's government, and they are working toward the compromise of "other systems."
See Also: Live Webinar | Active Directory Under Attack: How to Build a Resilient Enterprise
In their latest message, #Conti claims to have insiders in the Costa Rican government and alleges to be working on compromising "other systems."
— BetterCyber (@_bettercyber_) May 17, 2022
"Another attempt to get in touch through other services will be punished by deleting the key"#ransomware #contileaks pic.twitter.com/r7kW8HkAWE
"We have our insiders in your government. I recommend that you responsibly contact UNC1756. We are also working on gaining access to your other systems. You have no other option but to pay us. We know that you have hired a data recovery specialist. Don't try to find workarounds. Another attempt to get in touch through other services will be punished by deleting the key," the threat group's latest message says. UNC1756 is another name for the Conti group.
Newly elected Costa Rican President Rodrigo Chaves Robles on Monday said the attacks against the government are likely originating from both inside and outside the government, concurring with Conti's claims.
Chaves also criticized former President Carlos Alvarado Quesada for not investing in cybersecurity, adding that the impact of the ongoing cyberattacks was broader than previously known. So far, 27 government institutions, including municipalities and state-run utilities, have been affected, he said.
Conti Threatens to Overthrow the Government
In a message on Saturday, Conti threatened to destroy decryption keys for stolen, encrypted Costa Rican files. "We will stop any actions against Costa Rica if you just buy a key," the group said on its leak site. "In a week, we will delete the decryption keys for Costa Rica. I appeal to every resident of Costa Rica, go to your government and organize rallies so that they would pay us as soon as possible."
The same day, in the updated statement shown above, the group said it was determined to "overthrow the government by means of a cyberattack."
While the threat actor had originally demanded a $10 million ransom for the decryption keys, it said the involvement of the U.S. made it increase the demand to $20 million. "Just pay before it's too late," the Conti message says.
Costa Rica Declares Emergency
On May 8, Costa Rican journalist Amelia Rueda tweeted that Robles had declared a national emergency the day he was sworn in as president, due to the onslaught of cyberattacks on the country's critical government infrastructure.
The decree signed by Chaves said that it was "necessary to declare through this Executive Decree, a national emergency due to the state of necessity and urgency caused by the cyberattack that is taking place in the country, which has caused the information systems of different institutions to have been violated."
The unprecedented cyberattack is an invasion of national security, Chaves says, adding that "intense alterations were caused in the normal functioning of the computerized systems of collection, traceability and attention of natural persons and legal taxpayers, generating losses, damages and greater future risks for the assets of the community that are public finances, as well as for the fundamental right to privacy of individuals." This, he says, is why "a state of national emergency is declared throughout the public sector of the Costa Rican State."
At least five Costa Rican government agencies, including the ministries of finance; social security; sciences, innovation, technology and telecommunications; meteorology; and electricity, are known to be targeted by Conti (see: Conti Ransomware Targets Costa Rican Government Entities).
Is an Individual Behind the Costa Rican Attacks?
A message posted on May 8, in the section of the Costa Rican data leak on the Conti News website, offers some insight into the perpetrator. It may just be one person, the post indicates.
"You need to know that no organized team was created for this attack. No government of other countries has finalized this attack. Everything was carried out by me with a successful affiliate. My name is UNC1756," the published message said.
The Conti threat actor says the motive for the attacks on Costa Rica is money. "The purpose of the attack was to earn money. In the future I will definitely carry out attacks of a more serious format with a larger team," the message says.
Conti has also recently targeted several U.S.-based organizations. The U.S. Department of State is offering rewards of up to $10 million for information that leads to the identification or location of anyone who holds a key leadership position in the Conti ransomware variant transnational organized crime group (see: Feds Post $10 Million Reward for Conti Ransomware Actors).
The Department of State is also offering a second reward of up to $5 million for information that leads to the arrest or conviction of anyone in any country who wants to participate or did participate in a Conti variant ransomware incident.
Conti's Latest Known Victim
U.S.-based manufacturing giant Parker Hannifin recently experienced a data security incident for which Conti has claimed responsibility on its leak site. This resulted in a data breach of employee information. Through its investigation, the company says, it determined that "an unauthorized third party gained access to Parker's IT systems between the dates of March 11 and March 14."
The breached information may have included current and former employees' names in combination with one or more of the following: Social Security numbers, dates of birth, addresses, driver's license numbers, U.S. passport numbers, financial account information - bank account and routing numbers, online account usernames and passwords, enrollment information - including health insurance plan member ID numbers, and dates of coverage, the company says.
The company first detailed the attack in an April 5 SEC filing that says: "The company immediately activated incident response protocols, which included shutting down certain systems and commencing an investigation of the incident, which is ongoing. The company also notified and is working with relevant law enforcement authorities, and engaged legal counsel and other third-party incident response and cybersecurity professionals."
Based on its preliminary assessment, the company says the incident did not have a significant financial, material or operational impact.
'Sophisticated' Actor
Chris Clements, vice president of solutions architecture at Cerberus Sentinel, tells Information Security Media Group that Conti allegedly exfiltrated nearly half a terabyte of Parker Hannifin's data in just four days, implying the group is sophisticated. "In fact, the exfiltration likely took less than four days as the threat actor would have to search out and locate the data after gaining initial access. It's unfortunate, but this data can be a gold mine for committing identity theft, as well as to construct compelling further attacks on the victims via social engineering," Clements says.
Mass-scale data theft can be worse than simply encrypting systems because once data has been taken, there is no way to verify that the attackers will actually make good on their word not to release the data publicly or attempt to sell it even if the ransom demand is paid, Clements says.
He recommends that defenders respond by "implementing new protections, such as strictly limiting access to sensitive data to only personnel who require access, encrypting sensitive data at rest such that even a compromised administrator account can't decipher it, and adding monitoring mechanisms to quickly alert and respond to unusual network volume that could indicate a mass data exfiltration attack."