Cyble-Cyberattacks-on-Government-Entities

 Small Nations at Higher Risk

Introduction

The second quarter of 2022 witnessed a series of cyberattacks by the Conti ransomware gang against the Costa Rican government, culminating in a nationwide crisis and declaration of national emergency by the recently-elected President, Rodrigo Chaves. Earlier in March 2022, United States President Joe Biden extended the state of national emergency declared in April 2015 till March 31, 2023, to deal with cyber threats to the United States.

Regardless of scale, the level of sophistication and the vigor of these cyberattacks can prove overwhelming for any nation. Cyber Research Labs has witnessed a rise in ransomware attacks this year on both small and large state mechanisms in Western Hemisphere.

A total of 48 government organizations from 21 countries were affected by 13 ransomware gangs from the beginning of this year.

Figure 1 – Ransomware attacks on government entities

Additionally, cybercriminals have scaled up their tactics to home in on smaller nations to subvert government apparatus. Certain Threat Actors (TAs) and ransomware gangs are fundamentally employing methods to target critical infrastructure – something we primarily observed state-sponsored APTs doing until this point. This is particularly true in the case of nations with a relatively large cybersecurity exposure due to inadequate resources and spending.  

Beleaguered Nations

Costa Rica

The notorious ransomware group Conti began targeting the Costa Rican government in April 2022. A similar attack was seen in May 2021, when the gang targeted Ireland’s publicly funded health care system and demanded a ransom of USD20 million. The timing could be a pure coincidence; however, Conti was seemingly trying the same tactics with Costa Rica, but this time on a larger scale, shortly after a change in government in the country.

Conti deployed various methods and tactics to target multiple government entities to force the nation into a state of national emergency, crippling their economy and disrupting the public system to create unrest in the nation. This is quite similar to the standard tactics employed by APTs to malign and derail governments.

Figure 2.1 – Threads on Conti’s darkweb site threatening Costa Rican government
Figure 2.2 – Threads on Conti’s darkweb site threatening Costa Rican government
Figure 2.3 – Threads on Conti’s darkweb site threatening Costa Rican government

Among the twenty-seven Costa Rican government organizations targeted, nine, including the Ministry of Finance and its two portals, Virtual Tax Administration Portal (ATV) – the public tax collection portal, and Information Technology for Customs Control (TIC@) – the portal for trade and customs are the worst affected.

This has caused delays in the disbursement of pensions, salaries, subsidies, and tax collection. The impact on the foreign trade portal has adversely affected the nation’s economy. Moreover, there is 1 TeraByte of Costa Rican taxpayers’ information in the wind, and financially-motivated fraudsters or cybercriminals could misuse this.

Impacted Costa Rican Government Entities

Figure 3 – Costa Rican Government entities impacted by Conti ransomware

Further, during our research on the IoT search engine Shodan, we found several instances belonging to the Costa Rican government enterprises exposed to the web and possibly affected by several vulnerabilities.

We filtered these exposed instances belonging to one of the organizations impacted by the ransomware attack as a demonstration, as shown below.

Figure 4 – Instance identified on Shodan for one of the Costa Rican government domains

The ransomware attacks on Costa Rica, as claimed by Conti, are financially motivated. However, the exasperation from failed negotiations and threat memos to the government reveal the partisan rationale behind the attack. 

Peru

In Latin America, the Brazilian Government’s organizations were the most targeted by Ransomware groups. However, several Peruvian government organizations were also targeted by the Conti, Blackbyte, and Everest ransomware gangs in three separate incidents. This year, the first victim was the Directorate General of Intelligence (DIGIMIN), targeted by the Conti ransomware gang on April 28, 2022, where 9.41 GB of their data was published on May 7, 2022.

Figure 5 – Peruvian Directorate General of Intelligence attacked by Conti ransomware gang

Subsequently, the Citizen Platform (gob.pe), a public query platform for the Peruvian government, was also targeted by the BLACKBYTE ransomware gang on May 23, 2022, and over 10 GB of data was compromised. The ransom demanded is USD145.95 million.

Figure 6 – BLACKBYTES’s darkweb site reflecting ransom demand for Peruvian Citizen Portal

On May 24, 2022, the Everest ransomware gang targeted the Peruvian Ministry of Economy and Finance. The total dataset is 700 GB.

As per Everest’s claims, this dataset contains documents pertaining to budget allocations and forecasts, tender data, internal correspondence of employees, emails, ministerial resolution documents, reports, financial statistics, and other registration documents.

The site also reflects 100 GB of samples for download, and the price quoted is 2 BitCoin (~USD 58,000). A TA also published information about this breach on a cybercrime forum.

Figure 7 – Ministry of Economy and Finance of Peru targeted by Everest ransomware gang

Figure 8 – Thread on a cybercrime forum  advertising breach of Peruvian Ministry of Economy & Finance

According to Lexology GTDT Market Intelligence, Peru’s cybersecurity spending was about 0.07% of its GDP in 2018. In times like these, however, this needs to be proportionally adjusted to secure their online footprint and mitigate their cybersecurity risk.

Despite an existing Cybersecurity and Data Protection Policy, Peru still lacks a robust cybersecurity strategy, according to the Inter-American Development Bank report of 2020, while the current policy enforcement also needs further amelioration.

Cyble Research Labs conducted research over vulnerable instances of the Peruvian government’s cyberinfrastructure and identified 21 instances from 11 ministerial websites with the most exploited CVEs from 2021.  

Figure 9 – Screenshots of vulnerable instances of Peruvian government domains on the Shodan IoT search engine

There are two polarising axes in cybersecurity capabilities in the Western Hemisphere due to diplomatic relations with the global powerhouses, the US, Russia, and China. China has major trade and technology investments in many countries in the region, while Russia traditionally has extensive energy, diplomatic and military ties.

Apart from its strategic and trade presence, the US is enhancing its role in the hemisphere from a technology, cyber capacity-building, and policy standpoint. Despite this, the smaller Latin American nations need more focused internal efforts to bring further maturity to their cybersecurity strategy and enhance their respective cyberinfrastructures.  

Other Notable Incidents In Underground Forums

The threat landscape is also widening due to several TAs active on various cybercrime forums. In one such instance, we observed such an actor selling email archives and data exfiltrated from email servers of the Ministry of Energy & Natural Resources, Federal Court of Malaysia, and the Department of Management Services under the Malaysian Ministry of Personnel & Organizational Development.

Figure 10 – TA selling email dumps impacting Malaysian government entities on a cybercrime forum

Another TA was observed selling unauthorized access, allegedly impacting the National Bank of Angola on April 24, 2022. 

Figure 11 – TA selling access to the National Bank of Angola on a cybercrime forum

Similarly, another TA was observed advertising compromised data consisting of Personally Identifiable Information (PII) of the Civil Service Commission of Republic of Philippines employees on another cybercrime forum. The TA claimed that the employee credentials were stored in plain text on the webserver.

Figure 12 – TA selling PII data of employees of the Civil Service Commission of the Republic of the Philippines  

Conclusion

Typically, cyberattacks on small nations by state-sponsored and renowned APTs are adopted by a few sponsoring nations to impact the socio-politico fabric and gain a political and diplomatic edge when it comes to trade and investment.

Ransomware gangs targeting one-off government establishments for monetary returns are also not a new phenomenon. Regardless, the global cybersecurity fraternity and policymakers must closely monitor ransomware gangs mobilizing their resources to strike at these nation’s foundations.

It is imperative for smaller nations not just to develop and improve their cyber-attack detection capabilities. They also need to have a system in place to foil and respond to them swiftly and effectively. Further, significant investments are required in capacity-building to cultivate skilled manpower, enhance awareness among citizens and narrow the technology gap to minimize their risk footprint.

Several countries still do not have a full-fledged cybersecurity strategy framework to counter large-scale cyber-attacks on their infrastructure or deal with cybercrime. Cybercrime originates beyond borders, and such delinquencies need deeper international cooperation and support from nations with a more robust cybersecurity apparatus.

Scroll to Top