Small Nations at Higher Risk
The second quarter of 2022 witnessed a series of cyberattacks by the Conti ransomware gang against the Costa Rican government, culminating in a nationwide crisis and declaration of national emergency by the recently-elected President, Rodrigo Chaves. Earlier in March 2022, United States President Joe Biden extended the state of national emergency declared in April 2015 till March 31, 2023, to deal with cyber threats to the United States.
Regardless of scale, the level of sophistication and the vigor of these cyberattacks can prove overwhelming for any nation. Cyber Research Labs has witnessed a rise in ransomware attacks this year on both small and large state mechanisms in Western Hemisphere.
A total of 48 government organizations from 21 countries were affected by 13 ransomware gangs from the beginning of this year.
Additionally, cybercriminals have scaled up their tactics to home in on smaller nations to subvert government apparatus. Certain Threat Actors (TAs) and ransomware gangs are fundamentally employing methods to target critical infrastructure – something we primarily observed state-sponsored APTs doing until this point. This is particularly true in the case of nations with a relatively large cybersecurity exposure due to inadequate resources and spending.
The notorious ransomware group Conti began targeting the Costa Rican government in April 2022. A similar attack was seen in May 2021, when the gang targeted Ireland’s publicly funded health care system and demanded a ransom of USD20 million. The timing could be a pure coincidence; however, Conti was seemingly trying the same tactics with Costa Rica, but this time on a larger scale, shortly after a change in government in the country.
Conti deployed various methods and tactics to target multiple government entities to force the nation into a state of national emergency, crippling their economy and disrupting the public system to create unrest in the nation. This is quite similar to the standard tactics employed by APTs to malign and derail governments.
Among the twenty-seven Costa Rican government organizations targeted, nine, including the Ministry of Finance and its two portals, Virtual Tax Administration Portal (ATV) – the public tax collection portal, and Information Technology for Customs Control (TIC@) – the portal for trade and customs are the worst affected.
This has caused delays in the disbursement of pensions, salaries, subsidies, and tax collection. The impact on the foreign trade portal has adversely affected the nation’s economy. Moreover, there is 1 TeraByte of Costa Rican taxpayers’ information in the wind, and financially-motivated fraudsters or cybercriminals could misuse this.
Impacted Costa Rican Government Entities
Further, during our research on the IoT search engine Shodan, we found several instances belonging to the Costa Rican government enterprises exposed to the web and possibly affected by several vulnerabilities.
We filtered these exposed instances belonging to one of the organizations impacted by the ransomware attack as a demonstration, as shown below.
The ransomware attacks on Costa Rica, as claimed by Conti, are financially motivated. However, the exasperation from failed negotiations and threat memos to the government reveal the partisan rationale behind the attack.
In Latin America, the Brazilian Government’s organizations were the most targeted by Ransomware groups. However, several Peruvian government organizations were also targeted by the Conti, Blackbyte, and Everest ransomware gangs in three separate incidents. This year, the first victim was the Directorate General of Intelligence (DIGIMIN), targeted by the Conti ransomware gang on April 28, 2022, where 9.41 GB of their data was published on May 7, 2022.
Subsequently, the Citizen Platform (gob.pe), a public query platform for the Peruvian government, was also targeted by the BLACKBYTE ransomware gang on May 23, 2022, and over 10 GB of data was compromised. The ransom demanded is USD145.95 million.
On May 24, 2022, the Everest ransomware gang targeted the Peruvian Ministry of Economy and Finance. The total dataset is 700 GB.
As per Everest’s claims, this dataset contains documents pertaining to budget allocations and forecasts, tender data, internal correspondence of employees, emails, ministerial resolution documents, reports, financial statistics, and other registration documents.
The site also reflects 100 GB of samples for download, and the price quoted is 2 BitCoin (~USD 58,000). A TA also published information about this breach on a cybercrime forum.
According to Lexology GTDT Market Intelligence, Peru’s cybersecurity spending was about 0.07% of its GDP in 2018. In times like these, however, this needs to be proportionally adjusted to secure their online footprint and mitigate their cybersecurity risk.
Despite an existing Cybersecurity and Data Protection Policy, Peru still lacks a robust cybersecurity strategy, according to the Inter-American Development Bank report of 2020, while the current policy enforcement also needs further amelioration.
Cyble Research Labs conducted research over vulnerable instances of the Peruvian government’s cyberinfrastructure and identified 21 instances from 11 ministerial websites with the most exploited CVEs from 2021.
There are two polarising axes in cybersecurity capabilities in the Western Hemisphere due to diplomatic relations with the global powerhouses, the US, Russia, and China. China has major trade and technology investments in many countries in the region, while Russia traditionally has extensive energy, diplomatic and military ties.
Apart from its strategic and trade presence, the US is enhancing its role in the hemisphere from a technology, cyber capacity-building, and policy standpoint. Despite this, the smaller Latin American nations need more focused internal efforts to bring further maturity to their cybersecurity strategy and enhance their respective cyberinfrastructures.
Other Notable Incidents In Underground Forums
The threat landscape is also widening due to several TAs active on various cybercrime forums. In one such instance, we observed such an actor selling email archives and data exfiltrated from email servers of the Ministry of Energy & Natural Resources, Federal Court of Malaysia, and the Department of Management Services under the Malaysian Ministry of Personnel & Organizational Development.
Another TA was observed selling unauthorized access, allegedly impacting the National Bank of Angola on April 24, 2022.
Similarly, another TA was observed advertising compromised data consisting of Personally Identifiable Information (PII) of the Civil Service Commission of Republic of Philippines employees on another cybercrime forum. The TA claimed that the employee credentials were stored in plain text on the webserver.
Typically, cyberattacks on small nations by state-sponsored and renowned APTs are adopted by a few sponsoring nations to impact the socio-politico fabric and gain a political and diplomatic edge when it comes to trade and investment.
Ransomware gangs targeting one-off government establishments for monetary returns are also not a new phenomenon. Regardless, the global cybersecurity fraternity and policymakers must closely monitor ransomware gangs mobilizing their resources to strike at these nation’s foundations.
It is imperative for smaller nations not just to develop and improve their cyber-attack detection capabilities. They also need to have a system in place to foil and respond to them swiftly and effectively. Further, significant investments are required in capacity-building to cultivate skilled manpower, enhance awareness among citizens and narrow the technology gap to minimize their risk footprint.
Several countries still do not have a full-fledged cybersecurity strategy framework to counter large-scale cyber-attacks on their infrastructure or deal with cybercrime. Cybercrime originates beyond borders, and such delinquencies need deeper international cooperation and support from nations with a more robust cybersecurity apparatus.