The Hacker Mind Podcast: Conducting Incident Response in Costa Rica Post Conti Ransomware

Robert Vamosi
September 6, 2023
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

How do you conduct an incident response for an entire country? When it’s 27 different life-critical government ministries each with up to 850 individual devices -- that’s uncharted territory. Esteben Jimenez of ATTI Cyber talks about his experience with the reconstruction of the cybersecurity system following Conti, how the country handled a second ransomware attack from the Hive ransomware group, and we'll discuss what yet remains to be done to secure Costa Rica -- and other Latin American countries from future attacks.

[Heads Up: This transcription was autogenerated, so there may be errors.]

VAMOSI: How do you conduct an incident response for an entire country? Even when it’s an organization, there are procedures for how you might approach it. But when it’s 27 different life-critical government ministries each with up to 850 individual devices -- that’s uncharted territory. And that’s what I want to discuss in this episode -- how do you conduct a recovery process while ensuring continuity, while also collecting enough forensic evidence when a country has been attacked .

Okay, so real quick -- before we get too far -- this is actually the second part of a two-part episode.  If you haven’t already, take a moment and go back and listen to the episode just before this, number 78, called Defending Costa Rica From Conti Ransomware. In that episode, I profiled Esteban Jimenez, an incident response leader within Costa Rica.  We discussed his unique background and how over the last 16 years Costa Rica as a nation has stepped up it’s cybersecurity hygiene in general. 

In this episode we’ll look at how that preparation helped Costa Rica handle the Conti ransomware attack which disabled crippling the entire government. 

In this episode, we’ll dive deep into the reconstruction of the cybersecurity system following Conti, how the country handled a second ransomware attack from the Hive ransomware group, and we'll discuss what yet remains to be done to secure Costa Rica -- and other Latin American countries from future attacks. Esteben has a lot of great information yet to share in this episode around this attack, so I hope you’ll stick around.

[music]

Welcome to The Hacker Mind, an original podcast from the makers of Mayhem Security. It’s about challenging our expectations about the people who hack for a living. I’m Robert Vamosi and in this episode I’m discussing the after effects of a Conti Ransomware attack on Costa Rica, a sovereign and democratic nation, how the nascent incident response team kicked into high gear, and what lessons might be learned for other governments faced with similar attacks in the future in other Latin American countries as they too begin to raise their shields in defense of future attacks.

[music]

VAMOSI: As we heard in the previous episode, there's a group of cybersecurity leaders who are working with the various ministries of government within Costa Rica. This group provided the ministries with results of penetration tests in an effort to shore up the country. This was a slow process as many ministries did not always understand the need for such security reports. At least a healthy dialogue had begun. Which brings us to Esteban:

JIMENEZ:  All right. Well, my name is Esteban Jimenez. I am the Chief of Technology of the Costa Rica and cyber defense company ATTI Cyber and I used to be a cybersecurity engineer for the Intel Corporation. I worked for Intel security for about five years. And I also worked with IBM Security prior to that I also worked in other missions with Bank of America. So I've had some good runs with with some of the big players in the industry.

On the morning of April 18 2022, Esteban’s phone rang. The minister from the Ministry of Hacienda was on the line. He said that the country had suffered a ransomware attack that had taken out many servers, and servers across many other ministries as well. Esteben then learned the attack happened a few days prior, yet this was the first either he or anyone he knew had heard of it. So right away, Esteban and his team they were were walking to a chaotic situation, where seemingly nothing productive had happened in the first 48 to 72 hours. How did Esteban approach the situation?

JIMENEZ:  Well, first of all, as a good incident commander, while we had to do it was to order the process. We needed to put some order into the process because the first meeting that I got in it was you know, it was really really strange because there were 68 people connected to the meeting. Nobody was talking. There was only one guy talking and he was telling a lot of things. He was wasting everybody's time with what he was saying. And there was no order. I mean, think about this. They were somehow engaged with their SOC provider for at least five days, you know, the past five days before the day we got in, and for five days, they were not able to structure any response teams. There was no response process whatsoever. Nobody was documenting anything. They were just repeating things without any kind of process in the middle, no methodologies, and they were just trying to catch on with the latest developments. Figure out if there were new alerts, but in the end, what they decided was to shut everything down. They didn't know what to do.

VAMOSI: Okay, so this is not good. The entire country is shut down, and there’s gridlock in the government offices about what to do next. Calling Esteban was a good first step.

JIMENEZ: So we started and in for everyone who has done incident response. They will relate to this. The first thing you need to do is once again put some order in the process. And you have to make sure that the right people are on the call right. You need to lower the noise as you as much as you can. Because you need to make sure that people is completely focused on the recovery, or Amin on some of the stages if you're in containment or if you're in recovery, they need to be focused on that right. 

VAMOSI: Right, so 16 tears ago, Costa Rica decided to invest in itself, and part of that investment was to bring in high tech companies like Dell, Cisco, Amazon, and Microsoft. They had offices and rather large workforces in the country. So why not enlist their support?

JIMENEZ:  But in this case there were so many people, some of the providers, we had people from Cisco because people from Microsoft, people from Dell, but there was no structured right. And we came up with a process that I call threat suppression. So this is going to be a little bit different from what you know ordinary Incident Response methodologies are stated, but people who have worked with incidents in the government or critical infrastructure will understand this. So threat suppression is a way in which you switch a little bit the incident response stages, right? You get detection, you get analysis, containment, eradication, recovery and post incident activity are usually the stages or the four main stages of this, but when you do spread suppression, you have to you have to understand that the infrastructure that is currently being attacked or is under attack at the moment is resulting in financial losses for the whole country and potentially, lives are at risk. 

VAMOSI: This is true. Unlike a corporation, which might only see its profits hurt by going dark, shutting down an entire country on the other hand has life-critical consequences. For that reason, you need to approach the incident response differently. 

JIMENEZ: So it's different when you attend an incident response at a private company. Because you know that yeah, there I mean, there's, there is an incident it's going on, there will probably be some systems affected probably, you know, collaborators will not be able to log into their laptops and things like that. Which is fine. So you can be a little bit more relaxed and you have some more, much more time to take samples and things like that. But when you're facing an incident at the national level, you don't have time. There's no time. You have to focus on defending the infrastructure as much as you can try to you know, maintain the process and your and your order. But you have to put first the security of the people, right, so if you take too long on obtaining samples, or if you prioritize the wrong systems, at any time, this is going to result in a catastrophe, right. 

VAMOSI So in a private company you can collect evidence from systems without necessarily having to worry about continuity. In a country, however, you need continuity right away, and somehow also need to collect the evidence from the attack. That requires structure, that requires sequencing.

JIMENEZ: So threat suppression is a way in which you can go in an organized way. Go through the process of incident response. But it's much more aggressive. Right. So you have to ask yourself as you develop your stages. You have to make sure that standardization is being performed. You have to make sure that the continuity of the operation of a public institution is short at the same time, you'd have to read your communication plan, and you have to have all those pieces together. Right. So it's much more intensive on labor and the teams are where you have to go with the teams where people that it's not a train on incident response, you have to grab people from different institutions. To get your communication flow up and running. You have to be informed like an incident commander, you have to be informed about every single thing that's happening. You need to know if other systems are blowing up. You need to know if the communication planning has rolled out and things like that. So you have to do that. But at the same time, you'd have to be honest with the people because they need to know that for the next three days, four days, five days, one week, there will be a continuous process of engagement, right? People will need to wake up, they will need to take turns going to sleep for two to three hours, go back to work directly at the data center, go with their recovery pieces, and it's a continuous process. So you have to be honest with them until this is something that I did at that moment was listen guys I'm going to be honest with you. This is going to be painful. Everybody's going to be exhausted at the end. But we have a mission. We need to get all the contiguity of this ministry up and running by at least the next three days. We need to start recovering some of the pieces and putting those systems back together from now within the next three days. So it's going to be completely intensive. And that's what we started doing.

VAMOSI: So for three days, 72 hours, the people of Costa Rica had limited if any access to government services. Think about that. You check into the hospital and they have no records, no health insurance. You go to the bank and maybe they can’t verify you.  Or you run a business and you can’t access foreign trade or pay the proper taxes to keep your organization afloat. Then, slowly, access returned once again.

JIMENEZ:  Well at the beginning since we were not aware of the damage or the full impact of this attack. We had to stay quiet. Everywhere everybody was poor, the media was asking what happened? Why were those systems down? And basically for the first 48 hours, which is a threshold that you'll find also in some other disciplines. Like you know, forensics that people in law enforcement do for the first 48 hours. You need to stay calm. Try to assess the damage, right? Organize your teams, and then get a statement out, right? Because if you don't do that, things will get out of control. Right? The more times, especially in a situation like this with a national infrastructure pro per compromised. You have to of course you have to be in control. So communications out during those 48 hours were completely controlled and people were told that there was an attack. Of course we had to be sincere about this because many, many organizations sometimes make the decision of lying about what's happening. What I explained to the minister was that in this era, you cannot lie about this. If If you lie if you say that nothing is happening around the corner, the hacking group will shame the hacking group will put shame on you because they're going to make it public. Right anyway. They're just going to make public everything that's happening. They're gonna put a lot of billboards out about their achievement, and you're gonna be left like a fool to the whole country, right. 

VAMOSI: So being able to communicate what was going on was tricky. You don’t want to panic the country, on the other hand you can’t pretend it’s business as usual. The ransomware operators have the ability to publicly shame organizations that do not negotiate directly with them. Additionally they can publish any data they’ve stolen. So deciding how to go public, from teh government’s perspective, is very important. 

JIMENEZ: So the first communication was, yes, we have assessed damage in our internal systems. Because we're preventing this damage from being too widespread and more current into other institutions. We have decided to shut down the whole infrastructure, and our teams are assessing the damage. So that was first, the first 48 hours after the first 48 hours we had a first number, that first number were around 850 servers who were affected and this is only one ministry, right? We're not taking into account the other 26 institutions, right. So around 850 servers, what we did was form four teams. And these teams had specific missions in which they put up a committee, first of all the crisis committee was which was confirmed by the Minister. There were people of the government also including their law enforcement and some others because they needed to have some good channels of communications with other institutions such as the international community in some other places, right. But then we also had a contention team. So this is one of the first things that we put in place because they needed to make sure that there was no additional activity happening within the infrastructure or the infrastructure net nearby. 

VAMOSI: So remember the ransomware could still be spreading and they had to first contain this spread, while working on continuity, while working on recovery, and while collecting evidence for forensics. 

JIMENEZ: So contention was exactly that. We created what I like to call a contention queue. Okay, so a contention queue. You will, you will see and many of my colleagues have different names for days. But our contention to you is you have to shut down the border of your company's compromised infrastructure, and a youth can be very careful including different sensors to track down and see if there is new activity going on in the network. So you can put some MDR sensors just to stay quiet. Do you know that the border is out so there's no communications out to the internet? And you have to just wait to see if there are any systems trying to talk to other systems in the infrastructure, at least in the compromised zone. And you can also go in and take samples from some of the compromised systems a step at a time and try to narrow down what the root cause was. So we had a team working on that type of contention. And we also had the good assistance of the Microsoft DART team. They came in with some other tools worked on. One of the first things that we've figured out is that the minister, the Ministry had the same conduct as as we've seen before, like, you know, the same thing I tell I told you 16 years ago infrastructure that was over 10 years, outdated, you know, many as much as 50% or probably more other servers. Were not charged with any antivirus. Some others had Symantec, but a really outdated version of Symantec endpoint detection. The same thing was pretty much useless against the county, ransomware just destroyed it completely. They it was so easy to just shut down the Symantec agent and those are the solid first things that we started to realize. 

VAMOSI: Oh, man. So systems with any antivirus protection, Systems with old versions of Symantec. This is almost comical if it wasn’t so serious. 

JIMENEZ: Because of that, the contention team, we took the decision of switching all the endpoint protection agents and replacing them with different flavors of new Microsoft defender 365 licenses. Now charged with EDR processes. And for some of the most important servers, we charged them with new licenses, for example, Sentinel one. So this is also a design that sometimes I put in place on these kinds of operations. And I call it a density design, because you can put one EDR type of agent on let's say, laptop computers and some of the non privileged computers. And this is an agent that is not as aggressive and not as expensive as a major EDR like CrowdStrike or, you know, something like that. And you get to move quickly with these lightweight agents and put it on some of those computers who are not, or do not belong to critical users, but at the same time, you can put a much robust agent on servers and laptops from from the administrators, team, you know from from the people that add infrastructure, or people with privilege access, you will put their agents with a much more aggressive policy right so we started do that remote evade assignment, take agents, cleaning out some of the computers at least to create a new environment and started to build a recovery environment and where we could, you know, take some of these systems and test them so that started run. And so now we had, for example, an MDR inside the premises. So we had StealthWatch. They had a Cisco StealthWatch demo. They had a POC that was not in place at the moment of the attack. They just had it there unplugged so I told him, you know, let's go ahead and turn on the threat watch. So we can have north-south visibility and get some of the new EDR and HDR agents on the computers as we started, you know, bringing them up and seeing what they can find. Right. So the convention was completely focused on not letting anything out of the convention so as you know next, the next team was working on recovery. 

VAMOSI: Remember these are simultaneous tasks- containing the damage and also getting secured systems back up and running quickly. This was quite a coordination feat.

JIMENEZ: Recovery was focused on the actual recovery of the backup server. And because this was the only recovery infrastructure we had, I mean, there were no other backups out there. They started working on the manual recovery of those images. The ransomware completely blew up the backup system, but some of the backups were still useful. But the problem is that we couldn't get into the interface of these backup systems. It was an old system from Dell. So we had to bring Dell SecureWorks to manually reconstruct the interface and get at least some of those images out manually from the index of the backup system. So this team was focused completely on trying to recover some of those images.

VAMOSI: Esteban had to get creative with the recovery. If the backup existed without its schema, he had to look to find evidence of that schema from the past. He had to look to the WayBack machine for help.

JIMENEZ:  And then we got a continuity team, the continuity team was focused on Okay, now that we have some systems in place, we are trying to bring back some of the backups. There are some systems out there like for example, the webpage that we have. This is interesting because they had no backup for the web page. So what I did was to log into the Wayback Machine, you know, there's that portal on the internet and use the Wayback Machine to recover the HD HTML code and provide that to a copy of the Wayback Machine bytecode that was in the clouds. Provide a copy of that to the developers team. So they can start. They could start reconstructing the webpage, the main the main web page because everything was lost. And the Wayback Machine was one of the resources that we had that we utilized to bring the web page back. That's really, really interesting. So continuity was really focused on that. And they had a mission of bringing a list of systems based on a priority scale. For example, the custom system was one of the most important because without customs they needed to create all the invoices manually, people in the country had to go to the bank. And you have to think about this. This image will stay in my mind forever. There Are long lines of people with invoices in their hands, you know, like 20 years before, like they used to do 20 years before and the pope will add the banks because new you know new employees, people of my age or something like that who was never part of how to create their tax statement. manually. They had to go back to old files, all archives in the banks to understand how to create the process of manually putting a tax form for it for a customer because there was no system so the whole country came back or went back 20 years in the past for about a week until we were able to start recovering some of those systems.

[MUSIC}

VAMOSI: One thing we learned about the Conti ransomware group was its organization. For a criminal organization it had all the bells and whistles of a legitimate organization. It had an HR department, it had levels of management, and it even had it’s own customer service. Here’s a voice message that some victims received.

CONTI: i'm calling you from Conti resomware group.  Your company right now in negotiations with our data recovery group.

VAMOSI: Typically, a ransomware victim will have to start at least start negotiations-- even if they don’t intend to pay. In Episode 72, I talked with ransomware negotiator Mark Lance about the process. So you’d think that Costa Rica might engage in negotiation. But in the end, did the country pay anything?  

JIMENEZ:  There was no money but there was a negotiation. And some people will think that you should never negotiate with the hacker. And that's true. That's completely true. I mean, that should be your first response to an attack like this. You should not negotiate with terrorists, right? However, in my experience, there is one exception. And this exception is when there is lives at stake, you know, in some of these ribs know about this, and that's why we have some specialized hacking groups who target critical infrastructure in hospitals, unfortunately, because they know that if you attack the hospital, there is no option than to pay or at least negotiate a payment because every minute that your systems are down, people are is dying. So you are not you cannot prioritize money. Or money loss over the possibility to just pay whatever ransom is being requested to reestablish the services for a humanitarian purpose, right. And this is something that has happened also in the United States, Mexico, when Pemex was also affected by one of the most, you know, highly publicized attacks, a few years back, they had to negotiate, because this is critical infrastructure of the country. And now we are actually talking of continental critical infrastructure which is a concept that has been, you know, foreign, recently after the attack to Ukraine and, you know, the war in Ukraine and all that. Now we're thinking, what is the infrastructure that holds a continent together? Let's say for example, an attack on the Panama channel, for example, right? This is this continent. Critical Infrastructure is not just one country, it is the full continent that will be affected or a huge, vast region of populations that will get affected. So this is what happens and yet there wasn't any negotiation that ranged from one and from $5 million to some $1.5 billion. But to my knowledge, this ransom was never paid.

VAMOSI: So how long did it take to get things almost normal? We were talking about a week here, it's longer than that. Right? Well,

JIMENEZ:  at a state of emergency was declared in the country, right, which is still in place. So if you were to think that the incident has been resolved, the reality is that it's not so many of the systems of the ministry are still out. We recovered most of them in the first three weeks, which was my mission, as an incident commander was to bring this methodology put some order, and make sure that for the first three weeks, as much as the last infrastructure was recovered, and that was my mission in the first three weeks and then I put that in the hands of a project project management team. That are still working on recovering some of those systems. I you know, I can tell you that system from the ministry of public transportation are still missing. I can tell you that systems from the Lakka which is it this is probably interesting for a second interview, because this is the first wave, but there was a second wave of attacks.

VAMOSI: Esteban's talking about the hive attack, which happened at the end of May or was there another attack that I'm not aware of?

US Attentory General Merrick Garland  last night the justice department dismantled an international ransomware Network responsible for extorting and attempting to extort hundreds of millions of dollars from victims in the United States and around the world known as The Hive ransomware group this network targeted more than 1500 victims around the world since June of 2021. Hive ransomware Affiliates employed a double extortion model first they infiltrated a victim system and stole sensitive data next the Affiliates deployed malicious software encrypting the victim's system rendering it unusable and finally they demanded a ransom payment in exchange for a system decryption key and a promise not to publish any stolen data

JIMENEZ:  Hive was the second wave Exactly. Conti was the first one then? Well, we have people from the FBI here, trying to get some of the samples and really, really short after the attack in Costa Rica. The county group was completely dissolved, right? That was their final attack, you know, after a really really profiting campaign and in 2021 they got out with millions of dollars in revenue in really, really large attacks on US infrastructure, for example. They ended their exercises with the attack on Costa Rica. Right, and then they degraded and they split out and some of their best hackers integrated and other other affiliates. Hive was using the knowledge of Conte on the vulnerabilities of our institutions and they continued the attack on the second wave. And the second wave blew out the systems of the Ministry of Health, which are still in the in the in the making, or in the in the reconstructing phase and then the sad, the sad part of this is that because he was the health ministry, a lot of files from sick people got lost, ya know, for example, and you have to think that this is in the pandemic, right? This happened during the pandemic. So people who was in left for a transplant was put on hold because there was no systems. So people died, unfortunately and I I have close friends who were affected by this one of them, unfortunately died because she was not able to get the transplant that she needed, because the list was missing. And, and infrastructures of this country are still being restored till today. So we're talking about now over a year, and the incident is still ongoing.

[MUSIC]

VAMOSI: At the time of the Conti attack, Costa Rica was going through a very consequential presidential election. The first round in February 2022, and the second round coincided with the Conti Attack in April 2022. That's when Ridogio Chaves was elected with 52% of the final vote and assumed office on May 8, 2022.

Within a few days of being installed as the new president of Costa Rica, President Chaves declared the Conti ransomware attack on his country as an act of war. The first time a world leader has elevated the criminal attacks to underscore how this attack had briefly crippled his nation. 

Here’s the Evening Standard.

Evening Standard: The new president of costa rica has declared his country is at war with a ransomware group which has been carrying out cyber attacks on the country's government beside the criminal gang known as Conti as disabled agencies across the government since april using ransomware attacks costa rican president rodrigo chavez who began his four-year term just 10 days ago said that conti was receiving help from people within the country and called for support from international allies it's after the ransomware group made a statement that it planned to overthrow the government by means of a cyber attack demanding a government ransom of 20 million dollars.

VAMOSI: Having a cyber component to a potential overthrow of a democratically elected government is perhaps scary to think about. Perhaps this is a new reality for world leaders. 

JIMENEZ:  We have a new president. And interestingly enough, he was the former Minister of FEMA. You know, we've already attacked, he was fired from the previous government. He got fired. There was a lot of, you know, public opinion about this. Could just you know, you would think that he was, you know, really convenient, you know, what happened, you get you get fired of the government and then a few months after you are elected president, you know, from, you know, which was really weird, and there was a lot of you know, conspiracy theories about it. 

VAMOSI: So without getting political, I'm an outsider. I'm just reacting to the fact that the new president then called it a state of war, and declared that the insiders were traitors to his country. He announced this on his fourth day in office.

JIMENEZ:  Which also was a little bizarre, because, you know, he was probably, I mean, we had not released the confidential report at that time. Minister of the moment, was actually the antagonist of the new president. Because he was the person who picked them out. Right. So to my knowledge, there was no information, at least not official information out stating that there was somebody in the country working with the conduct group. This was all been managed in, you know, small group of people. And to know that they, the president openly stated that there were traitors in the country was a little bit of a shock for a lot of people, you know, because I don't think he was aware of the details on the recovery operation at that time, probably later. They briefed him about it, but not at that time. So yeah, it was it was a little bit of a shock. It was also some, you know, it was a little bit disrespectful for many of the people who weren't in the process, because many of them got they didn't receive any payments. We didn't receive any payments, you know, for assisting to government. People who was you know, they didn't slip for three, four weeks, one month, you know, so it was a little bit disrespectful in my, you know, if I would have been the president at that time, instead of looking for Insider, or traders in the country, I would have just congratulated the people who assisted and gave third time and gave their their family time to bring the systems back, but it turned out to be a really, really inappropriate to my, to my understanding, and that really inappropriate. The statement what he said.

VAMOSI: And then there are the facts which would suggest deep inside knowledge of the Costa Rica government. 

JIMENEZ:  What I can say, from my experience in the ground, you know, with my boots on the ground, is that I can I could say that there was some assistance, you know, this route received assistance from somebody who was aware of our local environment, from our local culture, from how people in the government of Costa Rica deals with holidays. They knew what infrastructure to attack first out of, you know, 1000s of servers, they got to hit the three most important ones in the ministry. So to me, there was assistance, you know, and this I could, I could, you know, completely say there was a report about this and all that. There was assistance to my knowledge and if you know, groups like comfy you know, that they recruit, right, so you get to recruit people that work in some of these affected institutions or, or companies or things like that company will pay them a little bit of money to receive intelligence Right. Or you can also be one of these people who got out and was not really happy with your previous employer. And you got somebody with Bitcoin, you know, a couple of millions in Bitcoin, and you can just rent services from the county. We definitely know that there was an affiliate in Costa Rica. That was really close to bump because we saw Conte, my company which has been dealing with this attack with this infection since 2021, here in Costa Rica, so we know that there was an operator here somewhere, right. So you know, you would think that this means that there was not only potential resistance, we know that there was an affiliate operating somewhere in Costa Rica or close to Costa Rica. And we know that some of these types of attacks are usually something that are really useful for initial trainees of the country group, because this will mean that they can go up in the ranks, if you will get a challenge like this. And yeah, I mean, you could receive a payment from somebody to rent your services. Well, what they're going to do is, well, we have this group of people in our affiliate, they're trying to rank up. Let's put this mission to them and see how they do right. We know that there was some escalations within the Contact Group after this. And we know that some of these actors later founded some other hacking groups because of the let's say, the throat, the trophy that they you know, that they brought back home. They were winners in the eyes of conflict, right and the green so we know that yeah, there was a lot of things and in assistance, local assistance, plus potentially an operator in the country.

VAMOSI: So without getting political, I'm an outsider. I'm just reacting to the fact that the new president then called it a state of war, and declared that the insiders were traitors to his country. He announced this on his fourth day in office.

JIMENEZ:  Which also was a little bizarre, because, you know, he was probably, I mean, we had not released the confidential report at that time. Minister of the moment, was actually the antagonist of the new president. Because he was the person who picked them out. Right. So to my knowledge, there was no information, at least not official information out stating that there was somebody in the country working with the conduct group. This was all been managed in, you know, small group of people. And to know that they, the president openly stated that there were traitors in the country was a little bit of a shock for a lot of people, you know, because I don't think he was aware of the details on the recovery operation at that time, probably later. They briefed him about it, but not at that time. So yeah, it was it was a little bit of a shock. It was also some, you know, it was a little bit disrespectful for many of the people who weren't in the process, because many of them got they didn't receive any payments. We didn't receive any payments, you know, for assisting to government. People who was you know, they didn't slip for three, four weeks, one month, you know, so it was a little bit disrespectful in my, you know, if I would have been the president at that time, instead of looking for Insider, or traders in the country, I would have just congratulated the people who assisted and gave third time and gave their their family time to bring the systems back, but it turned out to be a really, really inappropriate to my, to my understanding, and that really inappropriate. The statement what he said.

VAMOSI: I guess where I'm going with that is, have there been investigations and have there been individuals identified or not?

JIMENEZ:  The regulator in Costa Rica is a public institution, but that is called the Contra Lauria. This is the institution who has been much more in the investigation of what happened. And they have released two reports right now. One, criticizing the effectiveness of the public apparatus to understand in the first place what was happening second, to act swiftly when the first alerts were provided. And then the communication was not effective, because the problem was that at the beginning, the first three weeks, we came in with a really technical team, people with a lot of knowledge, as I'm saying, We got in with establishing a process. We got assistance from secure queries. We got assistance from Microsoft, Cisco. There was a lot of people but after the declaration of emergency it turns out that the technical process in the specialized process got replaced with a political process. So everything we were worried that we worked on, and the methodologies and the order that we set in place suddenly vanished. Everybody was sent out to back home, and the thing was completely pelletized from that point of view, so the regulator has criticized that. Now we also have some numbers that state that over $3 billion in losses have been prolly structured just from the attack to the Ministry of Health without adding the 26 other institutions. So the problem on the finance is huge. We won't even we don't even know if at some point we will be able to understand what was the complete impact of this attack? We don't know. Right? And we don't know the extent of it. So all we have is a report from the regulator that summarizes some of the events that happened and the payments that were made by some of this institutions to receive assistance or emergency funds from international institutions or organizations and local organizations, but nothing outside. Brawley actually, I don't know what happened with all the computers and systems that we preserve, to be passed through the forensic stage the post activity or you know, the post incident face. We we save a lot of systems so we pass on to the forensics team. We haven't reported on that. So we don't know exactly what the findings were.

[MUSIC}

VAMOSI: Given what happened in Costa Rica I am wondering if Esteban or others have reieved requests from their neighbor to the north or the neighbor to the south and others in Latin America for help in shoring up their government systems.

JIMENEZ:  Well, we have a hostile neighbor in the north right now. Nicaragua has shown its non participation or non collaboration status for a while now. And we receive assistance requests for you know, offers from Israel, Spain, who was one of the most active collaborators, Caesar, you know, from Spain, and we received from the United States, Korea, of course, and some of them actually participated. But way after, you know, like right now, the the government of the United States at the moment of the incident, we only receive a few visits from the FBI and things like that. But it was not until recently that the United States has approved a fund through USAID to provide Costa Rica with around $25 million to strengthen their security capabilities. And I think this is really, really accurate and really good because you need to think that in the context where we are right now located, you know, a war that's been actively affecting everyone. conflict with China in the United States and a lot of you know, countries like this. You have to think that Costa Rica is also a country that sits on a strategic position, because we are right next to the Panama canal. Right. So this has been a debate for many, many years. And I actually did an article with a couple of articles with a sales command. of the US Army. They have a magazine. So we put some of these points out in that article, where the necessity of of assisting some of our infrastructures in Latin America is growing rapidly as you leave our infrastructures in the shadows, what you're making is you're nesting some really awful things, especially because some of the Latin American countries are following trends from you know, countries who are have political stances. We're not, you know, are a little bit you know, they tend to establish their opinion on political opinions who are not what democracy is looking for. Right? Right. So and this is happening in Latin America, so we are not alone. Costa Rica has the most important tako matrix in the region. We sit next to the Panama canal. We're one of the most important providers of service to the rest of the other countries because in Costa Rica we have not only been some of the most important tech companies, but also hosting systems hosting providers, data centers are some of the most important ones in the region. So there has to be a change and some of our allies' international allies have realized about that. And well, one of them is the United States with now this effort of providing us with this capital that is most likely going to be used to feel that the new National Cybersecurity law and the creation of the National Cybersecurity agents

VAMOSI: I am wondering if a country like Panama might look to Costa Rica and say, oh, we need something like what they have in Costa Rica. Can you help us set one up in Panama?

JIMENEZ:  We have received some Yeah, yeah. I mean, it's been a little bit difficult because you will think that collaboration between the countries in this region is really intensive, like we talk a lot, but that's not true. So there is a culture or a lot of cultural differences in our countries and political differences. So it's not immediate, I would think that some of these countries would have acted much quickly because they are probably in a worse position than us who have invested since 2000. In a lot of technical and technical capabilities. They are in a much worse position but yeah, there is a collaboration going through the National Cybersecurity cluster with some of the clusters in other countries, but not, you know, at least not publicly, a lot of effort to send some of this knowledge down to our neighbors. I don't think they're really interested. And I don't think during the maturity level in which they perceive this as something that they need at this moment, you know, which is a mistake. They really need to learn about what happened, because they could be the next

VAMOSI: Esteban has had a moment to come up for air and think about his experiences. It's not every day that your country asks you to step up and help secure it from online foreign adversaries.

JIMENEZ:  Well, so at this time, I would say that the incident that I attended back in April, was probably the most important one in my career so far, because I got to not also work a national great incident, you know, national level is incident, but I also got to be a part of the Declaration of which I'm not, no, I'm not completely proud about this, but it really sets a mark in the history of the first country that declared a National Cyber emergency. You know, we unfortunately were the first ones. But this is something that the whole world needs to see. We learn from the invasion of Ukraine that attacks on digital infrastructure are now part of the healthy manual of war. We know that this is probably going to stay. It's going to be that the usage of cyber weapons is probably going to be the norm moving forward to tear enemies or, you know, do intelligence gathering before the attack of a country. We know that cyber war has entered a new stage. So what happened in Costa Rica is something that needs to be studied, needs to be understood. We need to understand a lot more about how this happened. How 27 institutions have a country, which is a free country and a democratic country, got affected like this. Prior to this, I think Estonia was one of the examples that everybody was using to, you know, put an example on attacks on critical infrastructure. But Estonia at that time, was not online. Their systems were not online and they were not completely digital. Everything was, you know, it was a closed network. After that they opened up, but we were attacked completely through the internet. So, this means that they tried this on us and it worked. And the fact that it worked means that it will continue happening to others, you know, so we need to learn about this. We need to share this story. People need to know what happened here. And we need to put up new mechanisms to Stretton at a national level. Not only private companies, not only public companies working isolated. This is attached to national versus national degree attacks, right national great attacks, and it's a completely different animal. The consequences of a national attack have a huge impact on every single citizen in the country. It impacts lives. There are people who dies after this. So we should never take this for granted. You know it's not a minor thing. It's it's, it's a huge loss.

Share this post

How about some Mayhem in your inbox?

Subscribe to our monthly newsletter for expert insights and news on DevSecOps topics, plus Mayhem tips and tutorials.

By subscribing, you're agreeing to our website terms and privacy policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Add Mayhem to Your DevSecOps for Free.

Get a full-featured 30 day free trial.

Complete API Security in 5 Minutes

Get started with Mayhem today for fast, comprehensive, API security. 

Get Mayhem

Maximize Code Coverage in Minutes

Mayhem is an award-winning AI that autonomously finds new exploitable bugs and improves your test suites.

Get Mayhem