The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Costa Rica shows the damage ransomware can do to a country

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Welcome to The Cybersecurity 202! Huge congratulations to my Post colleagues who won a Pulitzer Prize for public service for their courageous coverage of the Jan. 6 Capitol attacks. Congratulations to all the other winners and finalists as well.

Below: The Biden administration is mulling rules to block U.S. companies from using the Russian anti-virus Kaspersky, and Spain's intel chief is ousted in spyware scandal.

The Conti gang has prompted Costa Rica's president to declare a national emergency

Costa Rica is giving the world a look at the chaos criminal ransomware gangs can unleash on a nation.

The Central American nation’s new president, Rodrigo Chaves Robles, kicked off his term by declaring a national emergency this weekend — a belated response to a ransomware attack that has disrupted government agencies for more than a month.

The attack by the Russia-based Conti ransomware gang has disrupted Costa Rica’s systems for collecting taxes, paying pensions, overseeing exports and paying government employees, the Associated Press reported. The hackers locked up computers at numerous government agencies, including the Finance and Labor ministries — some of which still cannot access their computer systems.

They also spread farther afield, crippling the administrative systems of an electricity provider in the small Costa Rican city of Cartago.

The hack has seeded fear throughout the nation as businesses and individuals worry that sensitive information they’ve shared with government agencies will be published and used against them.

The government refused to pay a ransom under former president Carlos Alvarado Quesada. Since then, Conti has been publishing the government’s stolen information on its site as punishment.

The gang is seemingly trying to ratchet up the anxiety for other nations. In a statement posted to its website, the gang pledged that “Costa Rica is a demo version” and more serious attacks will follow.

Details from Emsisoft ransomware analyst Brett Callow:

The Costa Rica hack joins a growing pantheon of ransomware attacks that demonstrate how cybercriminals merely seeking profit can often do even more damage than government-backed hackers.

  • That list includes numerous other Conti operations, including one that disrupted the Irish health-care system for weeks last year and may cost up to $100 million in recovery costs.
  • Other landmark ransomware attacks hit U.S. businesses, including hacks at Colonial Pipeline that disrupted gas supplies to the southeastern United States and against the food industry giant JBS, which threatened U.S. meat supplies.

The U.S. State Department is eager to crack down on Conti. The department offered a $10 million reward for information leading to the identification of any Conti leaders in a notice that specifically called out the attack in Costa Rica. The department is also offering a $5 million reward for information that leads to the arrest of anyone using Conti ransomware.

From the notice: “In offering this reward, the United States demonstrates its commitment to protecting potential ransomware victims around the world from exploitation by cybercriminals. We look to partner with nations willing to bring justice for those victims affected by ransomware.

The State Department has offered similar rewards for information about the DarkSide ransomware group, which conducted the Colonial Pipeline hack, and the REvil group, which attacked JBS and the IT service provider Kaseya.

Conti has been extremely prolific, often locking up the computers of multiple victims in a single day and targeting victims across a range of industry sectors including health care and manufacturing.

It’s also survived against the odds. The gang was nearly pushed out of operation early in the Ukraine invasion when its leaders announced their allegiance to the Russian invading forces. A Ukrainian gang member leaked troves of embarrassing internal chats and information about the gang’s operation in retribution.

The gang dropped briefly offline, but was back just a few weeks later.

The keys

The Biden administration is mulling an even broader ban on Russian anti-virus firm Kaspersky

U.S. regulators are mulling new rules that could block American companies and individuals from using anti-virus software from the Russian firm Kaspersky Lab, Reuters’s Alexandra Alper writes.

The move follows a months-long probe into possible new restrictions on the anti-virus, which have ramped up since the Ukraine invasion, Alper writes. Other possible efforts would be aimed at reducing the risk posed by Kaspersky products.

The U.S. government has long warned Kaspersky software could be used to conduct cyberattacks and said the company is too close to the Kremlin. The U.S. government ordered civilian agencies to remove Kaspersky anti-virus software from their systems in 2017.

The Biden administration has put on hold sanctions against the company in the wake of concerns about such sanctions’ “size and scope,” the Wall Street Journal’s Vivian Salama and Dustin Volz reported in March. Kaspersky has long denied wrongdoing and said it doesn't do the Kremlin's bidding.

Russian TVs apparently hacked to show antiwar messages during Victory Day holiday

The antiwar messages showed up on smart TVs and platforms run by Russian IT giant Yandex, including a service that shows TV schedules, Mary Ilyushina and Annabelle Timsit report. They included messages saying that “the blood of thousands of Ukrainians and hundreds of murdered children is on your hands,” and “TV and the authorities are lying. No to war.”

The hacks came on Victory Day, when Russians commemorate the Soviet Union’s role in defeating Nazi Germany.

They also affected Russia’s YouTube equivalent, Rutube. The site said it had “undergone a powerful cyberattack” that made it “not possible to access the platform.” Rutube later said it had “localized the incident,” and that hackers weren’t able to access its archive of videos.

Russian President Vladimir Putin gave a Victory Day speech defending the Ukraine invasion, but did not announce an escalation of the war as many analysts had feared.

Spain’s intelligence chief ousted over spyware scandals

Spain’s cabinet agreed to fire Paz Esteban, who leads its CNI intelligence service, amid revelations that NSO’s Pegasus spyware targeted some Spanish government officials as well as more than 60 government officials and activists in Spain’s autonomous Catalonia region, Spain’s EFE news agency reported via The Associated Press.

An official announcement is expected later today.

Esteban admitted her agency had used spyware to track some Catalan officials, but said it was done with judicial approval.

Clearview AI agreed to stop selling facial recognition software to private firms

Going forward, the company plans to just sell its facial recognition algorithm — not its database of faces — to commercial customers in a “consent-based manner,” Clearview chief executive Hoan Ton-That said.

While Clearview lawyer Floyd Abrams said the settlement wouldn’t force the company to change its business model, Clearview has pitched its database of faces as a “distinctive feature, and the settlement could greatly limit its future prospects,” Drew Harwell writes.

Context: Clearview AI is known for downloading billions of images from the Internet without the consent of social media companies or users to build its face-search database, which has been sold to law enforcement agencies.

The development shows how a single state privacy law can have major implications for Americans’ civil rights. Clearview’s settlement came in a lawsuit brought by the American Civil Liberties Union accusing the company of violating an especially vigorous Illinois facial recognition law. The settlement marks the most significant court action against the company.

Industry report

Industry groups slam proposed SEC rules for reporting hacks to investors

The groups say the Securities and Exchange Commission’s proposed rules, which are aimed at raising companies’ cybersecurity precautions and transparency, could force companies to prematurely report hacks publicly. They urged more flexible rules with some exemptions.

Under the rules, firms would have to report material cybersecurity attacks within four business days and disclose some cybersecurity policies and the cyber expertise of their board members. Backers have said the rules will make companies more accountable to investors and raise the nation's overall cyber hygiene.

  • “The current proposal has severe deficiencies requiring the SEC to reassess the proposal and hold a roundtable with stakeholders,” the U.S. Chamber of Commerce said.
  • “No other data breach reporting requirement exists like this that we are aware of,” said the life insurance industry’s trade organization, the American Council of Life Insurers.
  • BSA | The Software Alliance warned that “unintended impact on registrants, investors, law enforcement, and the health and safety of U.S. persons would outweigh any benefits.”
  • The Digital Directors Network praised a proposed disclosure requirement for companies to report the cybersecurity expertise of their board members, calling it “singularly the highest impact, lowest effort proposal being suggested that will materially lower cyber risk exposure for America’s public companies."

Global cyberspace

NSO Group keeping owners ‘in the dark’, manager says (Financial Times)

Cyber insecurity

'A tragedy': Closure of 150-year-old college underscores toll of ransomware attacks (NBC News)

How to track your period without compromising your privacy (By Tatum Hunter and Heather Kelly)


  • Director of National Intelligence Avril Haines and Scott Berrier, who leads the Defense Intelligence Agency, testify on worldwide threats at a Senate Armed Services Committee hearing today at 9:30 a.m.
  • A House Science Committee panel holds a hearing on open-source software cybersecurity Wednesday at 10 a.m.
  • The Institute for Security and Technology hosts an event on offensive cyber operations in the Russia-Ukraine war on Wednesday at 1 p.m.

Secure log off

Thanks for reading. See you tomorrow.