A ransomware attack by a Russian-speaking hacking group on the government of Costa Rica could be a preview of future attacks on the United States and allied governments, some cybersecurity professionals have warned.
The Conti ransomware group claimed responsibility for cyberattacks on several government agencies in Costa Rica starting in mid-April. On May 8, newly elected President Rodrigo Chaves declared a national emergency due to the cyberattacks.
At the same time, Conti began releasing files from a 672-gigabyte trove of data that it says it stole from Costa Rican agencies. The U.S. State Department has offered a $10 million reward for information leading to the identification of the key leaders of Conti and an additional $5 million for information leading to an arrest or conviction of any hacker participating in a Conti ransomware attack.
In February, as Russia invaded Ukraine, Conti pledged “full support” for the Russian government and threatened to attack any organization that initiated cyberattacks or took any other “war activities” against Russia.
In late February, a pro-Ukrainian hacker began leaking information on Conti, showing an organization with salaried workers, performance reviews, and employees of the month. The leaks, if true, establish a “strikingly bureaucratic organization with a management structure, employees of the month, performance reviews, and hiring processes that pull from Russian headhunting companies as well as the criminal underworld,” said Mike Rogers, the former chairman of the House Intelligence Committee.
Conti appears to have strong ties to the Russian government. “The Kremlin’s security and intelligence services keep a bench of semi-tame hackers for the Kremlin’s use,” said Rogers, the founder of the Mike Rogers Center for Intelligence & Global Affairs. “These are co-opted cybercriminals that work with and for the Russian government in exchange for the Kremlin looking the other way and so long as the groups don’t attack Russian targets.”
While the attack on Costa Rica doesn’t appear to be on behalf of the Russian government, its capabilities could be used against NATO-aligned countries, said Chris Olson, the CEO and founder of The Media Trust, a digital safety provider. Conti had unsuccessfully targeted more than a dozen U.S. organizations, including healthcare providers and first responders, in the months before Russia’s attack on Ukraine, he noted.
“It's clear that the ransomware game has changed,” Olson said. “It's no longer just about stealing money from large corporations. Faced with the prospect of cyberwarfare and weaponized ransomware attacks, organizations in both the public and private sector should be preparing themselves by hardening their defenses and locking down their digital ecosystem.”
Olson told the Washington Examiner that the Russian government could turn to Conti for future attacks on the U.S. or its allies. “In the event that Russia chooses to pursue a more aggressive cyberwarfare strategy in the future, Conti actors may very well be recruited, and patriotic elements in Conti’s leadership could conceivably seize control of its operations,” he added.
Conti stands out as “one of the more sophisticated” ransomware groups, said Karim Hijazi, the CEO of Prevailion, a cyber intelligence company. By some estimates, the group has earned more than $2.5 billion from ransomware, he said.
“That is an immense amount of money and shows tremendous success with their efforts,” he told the Washington Examiner. “This group basically operates at the level of an oligarch, rather than a typical cybercrime gang. They have immense resources, capabilities, and leverage.”
Hijazi suspects that some members of Conti were, in the past, members of Russia’s intelligence services.
“They may even still be working for the state and doing the criminal work as a side business,” he said. “Whether or not Conti is merely a criminal enterprise that probably gives kickbacks to Putin's regime, or it is operating as a proxy on behalf of the Russian state, is the real question.”
Conti has the resources and capabilities to cause “a lot of damage” to the U.S. economy, Hijazi added. It’s unclear, however, whether Conti wants to move from for-profit ransomware attacks to more politically motivated activism, he said.
Conti is “trying to have it both ways” by voicing support for the Russian government while avoiding clashes with the hacker community outside of Russia, which is largely pro-Ukraine, he said.
“They certainly have the technical know-how, tools, and infrastructure in place to carry out a lot of damaging attacks,” he said. “The question is whether or not they want to jeopardize their very profitable criminal enterprise to engage in politically motivated attacks, which won't make them any money and will end up costing them a lot.”