Published by The Lawfare Institute
in Cooperation With
Earlier this week, the United States government announced that, subject to congressional approval, it plans to provide $25 million in assistance to the Costa Rican government, to help strengthen its cybersecurity. This announcement comes as Costa Rica approaches a one-year anniversary of a significant ransomware attack against government systems.
In Costa Rica, the Conti ransomware group demanded a ransom of $10 million in exchange for not publishing data stolen from the country’s Finance Ministry. Cybercriminals stole credentials from the Costa Rica Social Security Fund (CCSS by its Spanish acronym), enabling an attack in late May 2022. For more than two months, the digital services provided by the Finance Ministry and the CCSS were inaccessible.
In the small Pacific nation of Vanuatu, a cybersecurity incident in November 2022 left the island with no access to government emails, websites, and services. The attack affected payments to government employees, citizens were unable to pay taxes, and many services had to be completed with pen and paper.
Developing countries tend to have comparatively lower capacity than major cyber powers to respond to cyber incidents. So what is a developing nation that is facing a significant cyber incident supposed to do? In many cases, they turn to partners with more advanced tools and ask for help. That was the case for Costa Rica and Vanuatu: International assistance was key in facing these incidents and ensuring that systems and networks were restored. In Costa Rica, an existing agreement with Spain was operationalized quickly to provide technical tools in response to ransomware. And Vanuatu’s partnership with Australia proved crucial when the island was forced to rebuild its network.
Cooperation is a key element in any framework to respond to cybersecurity incidents, since it is hard for one single actor to have full visibility into the threat environment. There is no going at it alone. This is true for all governments regardless of their level of technical expertise. Even a major cyber power like the United States is working to improve information sharing and operational collaboration with partners in state and local governments, other countries, and the private sector.
Many frameworks for increased trust and security in cyberspace rely on multistakeholder engagement (bringing in the government, the private sector, civil society, and academia) and highlight the need for international cooperation. The 2021 consensus report from the U.N. Group of Governmental Experts on developments in the field of information and telecommunications in the context of international security argued that cooperation, assistance, and capacity building for information and communications technology (ICT) security “are critical to bridging existing divides within and between States on policy, legal and technical issues relevant to ICT security.”
The cases of Costa Rica and Vanuatu provide a look at the extent to which countries with reduced technical capacity and limited legal frameworks benefit from this cooperation.
Costa Rica and Vanuatu are good examples of nations that have made significant progress in expanding their legal and policy frameworks for cybersecurity in recent years, but they are still considered to be developing in the field. The International Telecommunications Union (ITU) Global Cybersecurity Index places them in the 76th and 152nd places (out of 182), respectively. The benefits of international cooperation and assistance for cybersecurity play a more crucial role in these countries than elsewhere. We offer here an overview of these incidents and their impacts, and explore how significant international assistance was in aiding each victim country to mitigate the effects of the cybersecurity incident.
Ransomware Emergency in Costa Rica
By the time the Costa Rican Ministry of Science, Innovation, Technology and Telecommunications (MICITT, by its Spanish acronym) found out about the ransomware incident on April 17, 2022, the Finance Ministry had been facing it for days. According to the cybersecurity threat intelligence company AdvIntel, the Conti ransomware group—one of the most notorious ransomware groups, believed to be based in Russia—gained initial access to Costa Rica’s systems on April 11. The attack initially targeted the Finance Ministry, encrypting the ministry’s data and forcing the digital tax service and the information technology (IT) system for customs control out of commission. According to Jorge Mora Flores—who was the director for digital governance at the MICITT at the time of the incident—the insufficient regulatory framework around cybersecurity reporting contributed to the incident’s long-lasting effects. Poor communication between agencies meant there was little time to share details of the incident with other government institutions, which made it easier for them to become additional targets.
The institutional response to the incident came when the MICITT and the Costa Rican Computer Security Incident Response Center (CSIRT-CR) found Conti’s post on the dark web claiming to have access to the Finance Ministry. This kick-started efforts to control the effects of the ransomware attack. After informing the impacted ministry, the MICITT reached out to its partners. In the meantime, the government established the High Level Permanent Situation Room, with representatives from the president’s office, the MICITT, finance, communication, and national intelligence and security.
The government then established a technical team tasked with developing the best plan of action to respond to the incident, managing the support received from other countries, agencies, and companies. The MICITT and the CSIRT-CR took the lead in convening this team, based on the authorities outlined in Decree 37052. This team comprised representatives from relevant government agencies, the judiciary, the financial sector, national intelligence and security, and the private sector—represented by the Cybersec Cluster.
A few days later, on April 21, the government signed Directive 133-MP-MICITT, which instructed all entities in the central public administration (and urged those that were part of the decentralized public administration) to abide by the recommendations and technical measures coming from the MICITT, and to report any cybersecurity incidents that “affect the confidentiality, availability and integrity of services available to the public, or the continuity of institutional functions, or the identity theft of the institution on social networks, including those incidents that within the institution are considered under control” to the CSIRT-CR.
A total of 27 government bodies were affected, nine of them severely. The effects ranged from website defacements to exfiltration of data and degrading the functionality of computer systems.
Mora Flores told us in an interview for this piece that cooperation was critical in responding to the ransomware incident. One of the first things the MICITT did after learning of the incident was to reach out to their contacts in Spain, the United States, and Israel for advice and support. These preexisting relationships proved essential.
The bilateral cooperation agreement with Spain was particularly useful: Spanish authorities not only donated 100,000 licenses of a ransomware-thwarting tool, but they also sent a technical team (CCN-CERT) to support the defenders in Costa Rica. Israel—with whom Costa Rica had signed a memorandum of understanding for cooperation in cybersecurity—provided relevant intelligence, increasing the visibility of the attack surface. The United States not only offered its technical support but also offered through the State Department a reward of up to $10 million “for information leading to the identification and/or location of any individual(s) who hold a key leadership position in the Conti ransomware variant transnational organized crime group.” The U.S.’s assistance was critical during an otherwise hectic moment in government, with the swearing in of the new Costa Rican president on May 8.
Additionally, Cisco and Microsoft—the companies that the MICITT had previously developed partnerships with—provided free tools to the government, helping them stop the incident.
By the time President Rodrigo Chaves took office on May 8, government officials thought the situation was finally under control; the ransomware was no longer spreading to other agencies. The new president promptly declared a national emergency in response to the incident, to allow his administration to tap into the emergency funds needed to undertake the necessary response measures.
But that was not the end of it. According to Mora Flores, the transfer of powers between administrations and the lack of continuity with the response teams offered the criminals an opportunity. On May 31, the Hive ransomware group leveraged the credentials previously stolen from the Costa Rica Social Security Fund, forcing the health institution to take its systems offline. Although Hive is tracked as a separate group, several Conti members also belong to the group. There seems to be evidence that the two groups are closely linked, but the extent of that connection is still blurry. By June 3, CCSS had declared an institutional emergency. Local reports claimed that 759 of the 1,500 servers and 10,400 computers had been impacted.
In total—including the national emergency fund and the agencies’ own resources—the Costa Rican government spent more than $24 million in response efforts as of June 2022. The national emergency fund provided around $4 million across government agencies for recovery efforts. The CCSS, which did not use emergency funds, spent around $18 million from its own resources only in the rehabilitation phase. Reports on the economic losses from delayed export-import controls range from $38 million a day to $125 million in a 48-hour time frame. Eight months after the incident, the infrastructure was still not 100 percent restored. And that doesn’t even consider the impact on thousands of individuals.
Lingering Effects in Vanuatu
The incident in Vanuatu was just as severe, causing debilitating effects on a government IT infrastructure. On Nov. 6, 2022, the Vanuatu government’s broadband network was compromised, paralyzing government ministries and departments. The entry point in this case also seems to have been suspicious phishing activity targeting the Ministry of Finance. Online services such as email, network shares, Voice over Internet Protocol (VoIP) services, and other online services offered by the government went down. By some accounts, the systems had been impacted since Oct. 30, but at the time the effects had been attributed to poor weather conditions.
Vanuatu received significant assistance from Australia, which makes sense, given the history of partnerships on cybersecurity between the two countries. At least as of Nov. 14, the Australian Cyber Security Centre was providing assistance, including helping rebuild the government’s IT system. Australian Minister for International Development and the Pacific, and Minister for Defence Industry, Pat Conroy later confirmed that a team of Australian experts had been working on the issue.
Shortly after the attack, Australia and Vanuatu signed a bilateral security agreement that included provisions to advance cybersecurity cooperation. Among the activities they agreed on are “capacity building activities to improve Vanuatu’s capability to prevent, respond to, investigate and, where appropriate, prosecute criminal and transnational crime matters, including in relation to” cybercrime, among others; “enhanced strategic engagement; capacity building activities; legislative and regulatory reform activities; joint operational responses to significant cyber incidents and challenges; information sharing, to the extent permitted by the Parties’ respective national laws, regulations and policies; and any other activity as mutually determined in writing by the Parties.”
The details surrounding the incident in Vanuatu are still shrouded in mystery. According to some accounts, this was the case of another government dealing with the consequences of not paying a ransom. However, there has been no official confirmation about whether this was indeed a ransomware attack or something else. Silence from the government throughout the incident response has prompted calls for increased transparency.
Regardless of the explanations around the incident, the effects were felt by the Vanuatuan population. Although the incident did not affect civilian infrastructure, it did bring down the websites for the “parliament, police and prime minister’s office” and emergency services. The attack delayed payments to government employees, citizens were unable to pay taxes, many services had to be completed with pen and paper, court records were lost, and the government was forced to rebuild its IT network. On Nov. 30, Prime Minister Ishmael Kalsakau confirmed that 70 percent of the servers had been restored. Some of the services that were partially restored by then included “government financial services, Customs and Inland Revenue, Immigration and Passports, the Vanuatu Police Force, Emergency Lines for ambulance, police and fire services, government VoIP, Civil Registry, government emails, government internet connection services; File sharing and the Ministry of Health’s procurement system.”
Although Vanuatu struggled to recover from this cybersecurity incident, reports of crippling effects don’t give enough credit to the resiliency of the people who have to deal with these effects. In a sobering reminder that there are often workarounds to this sort of incident—annoying workarounds, but workarounds regardless—this quote from Olivia Finau, a communications officer in the Ministry of Climate Change, captures the spirit of the response: “It was chaos during the first few days but the entire government made alternative Gmail accounts or used their private emails. We are all using telephones and mobile phones for communication. But we are resilient in Vanuatu as a small country and can manage this.”
In our conversations, Mora Flores identified budget constraints and limited political will as two of the main challenges for improving cybersecurity in developing countries. While efforts to improve security by design continue to gain traction, the overall bar for cybersecurity remains too high for developing countries. And while the struggle is global, some countries have access to more tools and actionable intelligence and are overall better positioned to face the threat than others. This leaves some governments more exposed than others, and cybercriminals are not refraining from targeting them—in fact, Costa Rica’s government suffered another ransomware attack this January.
These incidents are clear examples of how international cooperation can shape a country’s response to cybersecurity incidents. Trained personnel, resources, and software licenses—all of these make a difference. Bilateral agreements in particular played a key role in tapping into the capabilities needed to respond to the attacks. If Costa Rica and Vanuatu had been left to deal with the incident response by themselves, the effects would have been harsher. As the Biden administration thinks through its “policies for determining when it is in the national interest to provide such support”—as outlined in the recent National Cybersecurity Strategy—this consideration should be front and center. The benefits of international cooperation and assistance for cybersecurity are undeniable.