BLUF – In the shadow of Ukraine/Russia, a greater threat to our digital world unfolds in Costa Rica. Looking at prior shifts in the cyber threat landscape helps clearly define the current pebble and why the avalanche it creates will cause greater issues to the global ecosystem.

Background

In cyber we traditionally had a triad of bad actors – nation-states/ criminals/ hacktivists. Fairly easy to discern, nation-state actors were usually an extension of espionage organisations or concerned with advancing national interests (how else do we describe MPS, really). Criminals were the digital equivalent of their physical counterparts. Hacktivists were protestors with a larger potential voice, and the capacity to conduct activities which might get people to take notice where they otherwise were ignored. Each of these categories had different variations within them, but very little crossed between them. The triad was a foundational piece of the threat landscape.

But in cyber, everything is fluidly dynamic – the triad changed in 2017 with WannaCry and NotPetya.

Two of the main tiers – nation-state and criminal – were turned on their head. I’ll not go into the details of the attacks, but the resulting shift was massive. In WannaCry, we had (allegedly) nation-states openly conducting criminal activities in cyber. No longer small, digital one-off pilferings against local gambling halls, it was a country using ransomware to essentially bolster their GDP from international takings. Response options were irrelevant. What were we going to do? Sanction them further? Even if we could arrest the actors behind it, the impact was limited as this was (again, allegedly) part of a government program which ran very deep. For developing or otherwise underserved countries, it gave a new potential avenue of power – delivered as only North Korea could have.

NotPetya was a different animal entirely. Here we had an extension of the Russia/ Ukraine conflict (Crimea/ BlackEnergy as some of the precursors) with a new twist: Russia masked their nation-state activities (mucking about with Ukraine) as criminals. This posed a challenge for attribution when researchers realised there was no reversion after the ransom was paid. The delays in attribution meant the responses were delayed until well after the incident was sorted, meaning an offensive action could be completed well before defenses were mounted, much less a counter considered. NATO wouldn’t even know to be involved, as it seemed like a law enforcement issue ( NATO wouldn’t have been involved anyways). So nation-states considering offensive actions found cyber to shine in a new light, as they could go far further in digital spaces with limited repercussion. It went horribly awry, as self-propagating worms tend to do, and is very much a reason why Russia’s cyber attacks in the current conflict are very much regionally constrained.

Both WannaCry and NotPetya changed the threat landscape, but were short lived. Hence there was limited adjustments to public/ private sector strategies to accommodate the shift. Many have already forgotten they happened, some likely didn’t know they ever did. Less tsunami, more tide.

We have a new change underway right now – longer term, yet largely unrecognised. Costa Rica versus Conti (or the current offshoot derivation) which may have larger effects than WannaCry and NotPetya combined.

From mid-April to current, Costa Rica is in conflict with cyber criminal organisations. Originally Conti (prior to disbanding into smaller groups) now potentially Hive, the ransomware initially hit treasury – causing concerns from a customs and tax perspective. Since then nearly thirty other government agencies were compromised, most recently the public health record database.

Why is this any different? After all we’ve seen government agencies hit with ransomware.

The difference is in the criminal objectives and pressure. Conti doubled the ransom demands and looked for the citizens of Costa Rica to pressure their government to pay. Stating: “we are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power.”

Sound familiar? No – as we’ve not seen this before.

Hacktivists perhaps made those kinds of statements, but a criminal organisation? Most go the opposite route, saying they are only in this for the money and it’s not personal or political. This social distancing commonly limits the ferocity of law enforcement pursuit, so to throw down the gauntlet reflects the organisation’s relative perception of security in relation to the threat posed. Namely, Conti believed it was secure against repercussion from domestic and international responses to their demands and presented a tangible threat to Costa Rica’s government.

Fighting sophisticated cybercrime organisations is boxing against smoke: your hits don’t land, but you breathe theirs in. The crux is in the unbalanced nature of the landscape – we’ve not seen a criminal organisation openly undermine the legitimacy of a government, despite criminal operations calling government actions into question. If law enforcement efforts were successful, Conti (and now Hive) wouldn’t be around to push against Costa Rica. Costa Rica can’t defend the government from attacks like what we see in Ukraine – it’s not another country attacking and the attacks aren’t physical. Not a matter for military, and there are limits to the international support anyone can offer. Larger countries might be able to withstand this sort of assault, but smaller or developing nations will be hard pressed – and their citizens will be hard pressed to continue in support when there is lack of services and no rallying enemy to fight against.

As it stands, other criminal organisations are watching carefully to see how this plays out. Conti and their counterparts seem to have an upper hand. If they win, you can expect many nations will be under attack. Others will fall. If ever we needed a call for cybercriminals to be considered enemies and treated accordingly, this provisions the reason. Likewise, if you needed an external threat to raise your in-group identification and allow people to find unity in purpose, look no further. In the meantime, we need to create continental cyber ecosystems, we need to build in operational resilience, we need to shift culture to include trust and zerotrust, and we need to act now before the pebble becomes an avalanche.

Regulatory requirements/ reporting and cyber insurance are for organisations secure enough not to require means to fight Conti, those in waiting, and those who will build on the successes of these threat groups. When we see Costa Rica stand alone, recognise none of us are secure. This tsunami becomes our new tide.

-scl