Cyber Incident Victim: Ministerio de Hacienda
Date:
Apr 2022
Location:
Costa Rica
Summary
A Costa Rican government ministry was targeted by the Conti ransomware group, which demanded $10 million in exchange for stolen taxpayer data. The hackers claimed possession of one terabyte of sensitive information, including income and sales tax records, after compromising critical platforms used for import/export operations and tax filings. The incident disrupted fiscal operations, prompting authorities to extend tax payment deadlines and activate contingency measures while neither confirming nor denying the breach publicly.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around April 18, 2022, the Russian-origin hacker group Conti launched a ransomware attack targeting Costa Rica’s Ministry of Finance (Ministerio de Hacienda), compromising critical tax administration systems. The attackers demanded a $10 million ransom to prevent public release of stolen taxpayer data, claiming possession of approximately one terabyte of sensitive information. Conti publicly issued this ultimatum through a social media post reproduced by the Twitter account BetterCyber, which stated, "We ask only 10m USD for keeping your taxpayers' data." The ransomware attack restricted access to the ministry’s systems by encrypting files, a hallmark tactic requiring payment for decryption keys. Specific platforms affected included TIC@, a digital service platform for national importers and exporters, and ATV, the primary system for taxpayers to submit income, sales, and other fiscal declarations. These disruptions impeded routine tax operations and customs-related transactions, though the full technical scope of compromised infrastructure remained unconfirmed by authorities.
The Costa Rican government neither officially confirmed nor denied the breach but implemented operational countermeasures to mitigate immediate impacts. Authorities extended tax payment deadlines for obligations originally due on April 18, granting relief to affected taxpayers unable to access digital services. Customs agencies activated contingency plans to maintain functionality despite technical disruptions, though specific procedural adjustments were not detailed publicly. Conti’s data theft claim—involving taxpayer information—raised concerns about potential identity fraud or financial exploitation risks, though no evidence of data leakage emerged during the initial reporting period. The incident underscored systemic vulnerabilities in critical revenue collection infrastructure while highlighting the government’s focus on maintaining fiscal operations through administrative adaptations rather than engaging with ransom demands. Response efforts prioritized continuity of essential services over public disclosure of technical details regarding the attack’s origin or remediation progress.