Cyber Incident Victim: RECOPE
Date:
Nov 2024
Location:
Costa Rica
Summary
A ransomware attack disrupted digital systems at Costa Rica's state oil refinery RECOPE, forcing operations to switch to manual processes while maintaining fuel supply continuity through sufficient inventories. The incident response involved collaboration with national cybersecurity authorities and international experts, with staff manually servicing over 200 fuel trucks and extending terminal hours to mitigate disruptions. This marks the second major cyberattack on Costa Rican government infrastructure in a short period, following a similar compromise at the immigration agency that continues to affect online services, highlighting systemic vulnerabilities in critical public institutions. Technical recovery efforts remain ongoing without a restoration timeline.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On November 27, 2024, Costa Rica’s state oil refinery RECOPE identified a cybersecurity incident that disrupted its digital systems, prompting an immediate shift to manual operations to maintain national fuel distribution. The attack, detected 26 hours prior to RECOPE’s public update that morning, forced staff to process fuel deliveries manually at all terminals, with extended operating hours until 10 p.m. on November 27 to manage demand. During the initial response, RECOPE manually attended to 203 fuel trucks while ensuring routine maritime fuel discharges continued uninterrupted, including shipments of super gasoline, diesel, and aviation fuel received that morning. The institution coordinated closely with Costa Rica’s Ministry of Science, Innovation, Technology, and Telecommunications (MICITT) and the national Computer Security Incident Response Center (CSIRT-CR) to address the breach, emphasizing that fuel inventories remained sufficient to meet demand despite operational constraints. By November 28, RECOPE increased manual processing capacity with additional equipment, aiming to serve more carriers while maintaining direct communication with clients to minimize disruptions.
Investigations by RECOPE and CSIRT-CR identified the incident as a ransomware attack, consistent with the November cyberattack on the General Directorate of Migration (DGME), which had disabled online services but preserved core functions like passport processing. While RECOPE’s digital platforms remained offline, critical fuel supply chains were sustained through manual workflows, avoiding service interruptions to gas stations and commercial users. The attack vector was suspected to involve phishing emails, malicious downloads, or compromised websites, though no specific threat actor or ransom demand was disclosed. U.S. cybersecurity experts arrived in Costa Rica to assist RECOPE and MICITT in damage assessment and recovery efforts, though no restoration timeline was provided. Concurrently, DGME continued operating essential immigration services manually, reflecting broader vulnerabilities in Costa Rica’s public sector infrastructure following prior attacks on entities like the Social Security Fund and Ministry of Finance. RECOPE reiterated that official updates would be issued exclusively through its channels and MICITT, underscoring the incident’s containment to digital systems without compromising physical fuel reserves or distribution capabilities.