Cyber Incident Victim: Government of Costa Rica
Date:
Apr 2022
Location:
Costa Rica
Summary
The Costa Rican government suffered a ransomware attack by the Conti group targeting multiple agencies, primarily the Ministry of Finance, during a presidential transition period, with the president characterizing it as an attempt to destabilize the country. The attack disrupted tax and customs platforms, causing estimated daily export losses of $200 million and compromising sensitive taxpayer data, while the government refused a $10 million ransom demand. Response efforts included international assistance from the U.S. and Israel, public warnings about phishing attempts, and new mandates for agencies to report incidents, patch systems, and enhance security protocols to mitigate further risks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
The Costa Rican government experienced a significant ransomware attack in mid-April 2022, with the Conti cybercriminal group publicly claiming responsibility on April 19-20 by listing multiple government agencies as victims on its leak site. President Carlos Alvarado Quesada characterized the incident as a deliberate attempt to destabilize the nation during its political transition period, occurring shortly after the April 4 election of incoming president Rodrigo Chaves. The attack primarily targeted critical financial infrastructure, with the Ministry of Finance's systems sustaining the most severe impact. These systems managed customs operations and contained extensive historical taxpayer information that Finance Minister Elian Villegas described as highly sensitive.
The ransomware encryption caused substantial operational disruptions, particularly to tax and customs platforms that remained offline for at least four consecutive days. This outage created severe bottlenecks in import/export processes, with an exporters' union estimating $200 million in daily trade losses by April 20. Despite these challenges, the government maintained scheduled social assistance programs, including pension deposits and the "Let's Advance" initiative, through manual workarounds. President Quesada publicly refused Conti's $10 million ransom demand in an April 21 video address, framing the incident as a criminal cyberattack against the state rather than isolated IT disruption. Concurrently, authorities warned citizens about potential phishing campaigns exploiting the crisis. The administration activated an international response network, receiving technical assistance from private cybersecurity firms and foreign governments including the United States and Israel. In his final executive action before leaving office, Quesada signed a directive mandating all government bodies to report security incidents to Costa Rica's Computer Security Incident Response Center while ordering immediate remediation measures across agencies—including system patching, credential rotation, port lockdowns, and enhanced network monitoring.