Listen to this story read by the author by clicking the play button above.
On April 17, 2022, Jorge Mora was celebrating Easter Sunday at home with his family when a message came across his phone: An international monitor was warning of a cyber breach at Costa Rica’s finance ministry.
Mora was the country’s top official in charge of digital governance within the Ministry of Technology, but had only three weeks left on the job. A new government had been elected, promising to do away with the old, and not much dialogue was happening between incoming and outgoing administrations. On top of that, all government funds had already been allocated and disbursed. There was no budget left for anything.
“I told my family: ‘Bear with me, I have to go, and I could be busy for a few days,’” Mora recalled. “Little did I know, I would barely see them for the next three weeks.”
Costa Rica had been breached by the Russian hacker group Conti, which was already known to cybersecurity specialists as the largest ransomware collective then in operation, having extracted some $180 million from its targets in 2021. Using compromised credentials, they were able to install malware on one device within the Finance Ministry network, and that was enough to spread the infection. The attacker extracted hundreds of thousands of gigabytes of information about Costa Ricans, publishing a sample on the dark web. They encrypted the ministry’s systems, making it virtually impossible for the government to process payments or collect taxes, and freezing the customs agency. To release their hold on the ministry’s system and not publish the rest of the stolen data, the group was demanding $10 million.
Then-President Carlos Alvarado, just three weeks away from leaving office, refused to pay—and the ransomware onslaught continued. The hackers were vocal, using a blog to push their demands: “The government doesn’t want to admit that they can’t get their data back, and asked for help from the U.S. Well, we are changing our methods, and will start attacking Costa Rica’s large companies. They will have to pay us.” For seven consecutive days, one institution after another had its systems hijacked and shut down. Costa Ricans’ personal information from the tax office were released online, wages for public servants were in jeopardy, pensions that were to be paid that week were unavailable, and customs processes had to go back to paper. Even the meteorology service was impacted. “We were five people on my team, so we took turns sleeping four-hour shifts,” Mora told AQ.
Costa Rica might have been more prepared than many countries. As part of its candidacy to join the OECD, the country had adhered to that organization’s exacting internet policy recommendations back in 2012, though the budget to start implementing defenses only materialized in 2017. Yet the breach of an entire government by a hacking group was unprecedented, a new development experts had not yet seen, or expected. “We were also coming from spending cuts in all areas to balance the budget,” said Mora. Between 2019 and 2021, the country had held two cyberattack exercises with international support. Mora credits those tests as vital when it came to deciding how to respond. The country also had cooperation agreements that translated into fast support from Spain, the U.S. and Israel, as well as from Cisco and Microsoft. The donated systems and loaned personnel filled the hole the government couldn’t dream of addressing by itself with only days left in office.
By the Monday after the attack started, “We were able to start detecting breaches early, and start to contain the damage,” said Mora. But two weeks later, Mora—and everyone else involved in the effort—was out of office, without anyone to pass the baton to. “The only meeting we had with the incoming team was the Friday before inauguration,” said Mora. On Sunday, May 8, Rodrigo Chaves took the sash as president of Costa Rica, and the next day the country became the very first nation to declare a state of emergency due to a cyberattack. Chaves said the country was at war—well, the attacker did threaten to overthrow the government, warning that the country was just a demo attack. For Mora, the decree meant the emergency forces that took charge did so without training or knowledge in cybersecurity. The attacks continued, with Conti doubling the ransom to $20 million and telling Costa Ricans to pressure the government to pay. In June 2022 Costa Rica’s health care system suffered a new attack by another hacker, leading to the cancellation of some 30,000 medical procedures, while tax collection was still impaired and most public employees were back to using pen and paper.
Costa Rica never paid the ransom. Russia’s invasion of Ukraine, which Conti supported, splintered the group, leading to its demise. But as the hacker said in the message, Costa Rica did become a demo—or rather, a lesson for the rest of the region. “The attack on Costa Rica has increased awareness also outside,” said Helmut Reisinger, who oversees Latin America at Palo Alto Networks. And with lack of awareness at the highest levels of leadership as a major vulnerable spot in the region, heeding that lesson may be urgent. “Cybersecurity is a political, cultural and business issue,” said Mora. Not an IT problem.
“Cybersecurity is a political,
cultural and business issue.”
Why do we lag?
Unfortunately, such warnings have yet to gain much traction. Latin America is the least prepared region in the world for cyberattacks, according to the latest edition of the Global Cybersecurity Index, compiled by the UN’s International Telecommunication Union. According to the index and other studies, the region trails even Africa and South Asia when it comes to areas such as building capacity and implementing legal measures that are necessary to bolster defenses. Meanwhile, Latin America is an especially attractive target for hackers and other digital criminals: The region suffered about 12% of global cyberattacks observed by IBM’s X-Force, even though it accounts for just 8% of the world’s population.
The problem results partly from a positive trend: Latin America has digitized at a rapid pace in recent years. The pandemic put on steroids the movement to automation that was already happening in both the public and private sectors. The region has some of the world’s highest rates of smartphone and social media use, and e-commerce, online banking and other sectors are booming. But the clear talent for adopting new technology has outpaced the region’s cyberdefenses, experts say.
“Latin America’s entrepreneurial and innovative spirit does not come with a concern for security,” said Louise Marie Hurel, a fellow at the Royal United Services Institute and founder of the Latin American Cybersecurity Research Network. “It isn’t a political priority and, with few exceptions, the region lacks the necessary cybersecurity infrastructure,” she said.
In 2020, only 12 states in the region had a national cybersecurity strategy, considered a first step to organize a country’s response and defense. Though that number has increased to 20 nations in 2023, implementation is still a challenge. As one cybersecurity analyst put it, “There have been so many PowerPoint presentations, but so little action.” In 2020, only 10 countries in the region had a dedicated government entity to take charge of cybersecurity, while the gap in skilled workers is estimated at 600,000 professionals (and of the existing force, women make up only about a quarter, adding a diversity gap to the already weak scenario). That void has been felt in the escalation of attacks.
Experts estimate that Latin America experiences some 1,600 attacks per second. According to Interpol, the region set a global record in cyberattacks in the first half of 2020, with three times more attacks via mobile browsers than the world average. And while hackers will target virtually anything, the list of recent attacks on governments and public institutions is especially alarming.
The Brazilian court system suffered 13 consecutive attacks between 2020 and 2022, paralyzing services, postponing people’s cases, and risking the destruction of evidence. The Finance Secretary of Rio de Janeiro could not collect any taxes, while citizens in need of documents had to make requests in person after the office was breached in 2022. In Quito, the municipal government had to suspend services to the population in April 2022 to deal with a ransomware attack. The year before, Argentines found all their personal data and documents for sale on the dark web after a hacker infiltrated the country’s registry office, RENAPER, in October. The attacker even published soccer star Lionel Messi’s identity card on Twitter. The previous year, the country’s largest internet provider, Telecom Argentina, had to scramble to bring its systems back in July 2020 after an attacker demanding $7.5 million in ransom infected 18,000 workstations. This was just one of more than 1,500 attacks reported in the country that year, up 60% from the previous year—and the projection is for Argentina to reach a record number of attacks in 2023.
The Peruvian intelligence service was hit by Conti at almost the same time as Costa Rica, with scarce information provided on that breach. High profile attacks on Mexico’s defense ministry, SEDENA, by activist group Guacamaya, leaked thousands of classified documents and private emails, including about the health of Mexico’s president. The hacktivist group also breached military networks and mining companies in Colombia, Guatemala and Chile. Mexican oil company Pemex had its payment systems impacted by a breach in 2019, which the company said was contained in time and denied that any critical infrastructure had been impacted, but questions remain as to what actually happened.
Automate first, protect later
While pinpointing the geographic source of high-profile cyberattacks in Latin America can be difficult, they generally come from all over the world, including Russia and China and, increasingly, from within the region itself. Brazil and Venezuela are routinely cited as two hotbeds of hacker activity. Yet despite the onslaught of attacks from home and abroad, too many decision-makers in both the public and private sector still see cyberspace as a tech issue, something IT teams are taking care of—instead of a structural component that needs to be tackled from C-suites and presidential palaces.
“Government leaders must work with their legislative bodies, involving the private sector and the technical community on appropriating resources to cybersecurity,” said Belisario Contreras, who managed the cybersecurity program at the Organization of American States (OAS) and today is senior director in charge of security and technology strategies at the law firm Venable.
The wake-up call usually happens after systems are down and blackmailing has begun. Matias Dib, co-founder and chief product officer at Hackmetrix, a Chilean cybersecurity startup, says the breach at Banco de Chile in 2018—when $10 million was stolen from the bank—was a catalyst for the country to develop its cybersecurity. Still, Dib says to this day he meets clients who have no concept of cybersecurity. “Most companies come to us after they are breached,” said Adalberto García, a cybersecurity specialist at Control Risks in Colombia. “One client even had the security features included on the technology they had purchased; they just didn’t think of turning those on.”
Knowing more about the threats could help improve awareness. But without any laws requiring victims to report cyberbreaches, companies and institutions often try to stay mum, to protect their reputations. “Some companies prefer to pay the ransom and get it over with, without risking their reputation,” García said. The target may get their systems back—if, as García says, the hacker is “trustworthy,” since there is no guarantee the attacker will honor their word—and avoid a reputational and legal headache.
But if no one knows the kind of attack suffered, no one linked to the original target will be able to protect themselves. “Cyberspace is interconnected like a network of roads, and everyone riding in that digital highway could be impacted,” said Dib. And the code of silence is often useless; hackers themselves go online to boast or shame the company, or just leak the information acquired. “Double or triple extortion is often the case,” said Hurel.
When Colombian conglomerate Empresas Públicas de Medellín (EPM) suffered a ransomware attack in December 2022, the company shared very little information. “EPM said only customer data was impacted, but they were sending water trucks to neighborhoods that had no service, and many areas were in the dark, without energy, for an extended period of time,” said Camilo García, editor of the blog MuchoHacker.lol. Other Colombian targets were attacked almost at the same time as the EPM breach, raising questions about possible coordination among hackers. Health care provider Keralty had its subsidiaries’ systems taken offline, leaving patients and medical personnel alike unable to get or give care, while clients’ personal information was being leaked to the dark web. For Camilo García, because companies have no obligation to report breaches, Colombia has become a sandbox for hackers. “Every hacker group is here, trying all sorts of different attacks, rehearsing for larger targets,” he said.
“That lack of reporting requirements is one of Latin America’s weakest points,” said Dib, of Hackmetrix. “It is up to governments to make reporting necessary.”
During the pandemic, even Brazil’s notoriously paper-loving cartórios, or notaries, developed a video-conference system to validate official documents remotely. But that push to digitize sensitive information represents obvious risks as well. “Latin America has a lot of critical infrastructure, from OPEC members, pipelines, to financial institutions operating at multinational scale,” said Reisinger. The digital expansion is moving faster than the availability of talent to make those systems secure—and that’s not just a problem for Latin America. In a poll by the World Economic Forum, 59% of global companies said they had a skill shortage within their teams to be able to respond to a cybersecurity breach.
Given the shortage of talent, in many Latin American countries the job of shoring up cyberdefenses has fallen to the military. In Brazil, security forces and the military cyberdefense command became the spine of the country’s digital security governance. “Sometimes making it a defense issue is the best way to find the budget allocation for cybersecurity,” Hurel said. Still, Brazil is by far the most attacked country in the region, and is among the top 10 globally, according to data shared by Palo Alto Networks. “Brazilian organizations, as a whole, seem to be less aware and educated about cyber best practices and risks, and what to do in case of an attack,” Reisinger told AQ.
Not all hackers are in it for the money. The activist group Guacamaya that leaked dozens of terabytes of stolen data on a mining project in Guatemala and the Mexican and Chilean militaries, say they are defending nature and fighting oppression, neocolonialism and the extractivist model in the region. Their main goal is to make the information public. “I reached out and they just sent me multiple terabytes, I can barely scratch the surface,” said García, the Colombian blogger. Reisinger says geopolitical events are a major influence on many cyber-actors’ choice of targets, be it state-sponsored actors or hacktivists.
Some hackers seem set on undermining democracy. The digital manipulation of information has been an ongoing challenge for governments and electoral processes, but direct attacks are also a threat. The Brazilian electoral court suffered several attacks during the regional elections of 2020, directed at the vote counting system. The court said the hackers were only able to delay the count, but that was already enough to leave Brazilians, who are used to knowing election results within minutes of polls closing, deeply suspicious of the system.
It can be managed
As overwhelming as the challenges may seem, the good news is that the solutions are fairly clear. “Despite our best efforts, cyberattacks will persist, just as we remain exposed to street crime. The key lies in devising strategies to minimize these risks,” said Contreras. They will involve political will, technology, resources, personnel, and above all awareness that digital systems and cyber networks are public avenues.
Experts agree that a national policy is essential, but after designing and approving a cybersecurity strategy, implementing it can become a challenge. “Moving from strategy to implementation is key,” said Kerry-Ann Barret, manager of the Cybersecurity Program at the OAS. “We encourage a dedicated budget line on national budgets, just like every budget has a line on national defense,” she said.
A clear path for law enforcement to investigate and curb impunity would go a long way to increase protection. “We have the technology, now we need political will to direct resources to law enforcement cyber teams,” said Elvis Secco, Brazil’s Federal Police attaché at the country’s embassy in Mexico. Companies and public institutions alike need to have clear channels of communication with authorities, with reporting requirements to facilitate investigations and prevent the spread of infections. Compliance regulations come in handy to entice people and organizations to act.
Barret also highlighted the need to prepare the region’s diplomats, given the crucial role of multilateral organizations and international fora in addressing the challenge cooperatively. “The threat will almost inevitably increase, but more than alarm, we need an acceptance of reality,” Barret told AQ, “so we stop putting band-aids on and institutionalize the digital skills we need.”
The OAS has been pushing member states to work together, offering training and technical resources. But when it comes to collaboration, one expert said the region faces one more major hurdle: trust, especially between the private sector and governments. For several industries, there is the added challenge of cooperating without colluding in a way that could violate anti-trust laws, but creative solutions are possible. As a favorite early target of cyber criminals, Latin America’s financial industry is seen by analysts as a segment that cooperates effectively to stave off threats. “The banking sector was able to find ways to share security information,” Hurel said.
And all experts heard by AQ agree that the very first line of defense is rather simple: Basic training at every level of any organization, and even households, is critical. According to an IBM study, human error is the main cause of 95% of cyber breaches. “Phishing is the number one reason companies get invaded,” said Control Risks’ García, “and once a person does click on an infected message, institutions seldom provide internal channels for them to report it.” Knowing the risk and raising the alarm can prevent a simple fumble from becoming a major disaster.
Indeed, after the 2022 crisis erupted in Costa Rica, Mora found out that the initial breach at the finance ministry had been spotted two days before he got the message from the international monitor. “They thought they could take care of it internally, that it wasn’t a big deal,” said Mora. Better communication, and a better awareness of the cybersecurity threat Latin America faces, would be an excellent place to start.
Tags: Costa Rica, cybersecurity, Technology