Costa Rica state energy company calls in US experts to help with ransomware attack

The state-owned energy provider for Costa Rica was hit with a ransomware attack last week requiring the company to shift to manual operations and call in help from abroad.

Refinadora Costarricense de Petróleo, known by most as RECOPE, imports, refines and distributes fossil fuels across the country while also operating pipelines stretching from its Caribbean to Pacific coasts. 

The organization said it discovered a ransomware incident on Wednesday morning and began an investigation. Officials said they were forced to conduct fuel sales manually in light of the attack, which took down all of the digital systems used to facilitate payments.    

Operations at tanker terminals were extended late into the night on Wednesday and were expanded on Thursday. RECOPE added it was working with the country’s Ministry of Science, Innovation, Technology and Telecommunications (MICITT) to resolve the situation but repeatedly sent messages out on social media reiterating to the country’s population that there were no shortages of fuel. 

RECOPE said on Thursday it is monitoring the flow of tankers carrying fuel to see whether operations at cargo terminals need to be extended. In total, 203 trucks of fuel were filled. 

“Fuel unloading at our dock continues as usual. This morning, ships were received with premium gasoline, diesel and aviation fuel. In parallel, Recope and Micitt continue to work together to deal with the incident,” RECOPE said in a statement. 

“We reiterate that Recope has sufficient inventories to meet the demand for fuel and continue to guarantee the service, as we have done for the past 61 years.”

On Friday, Karla Montero, president of RECOPE, said cybersecurity experts from the U.S. arrived on Thanksgiving and were able to help “gradually restore some systems” but said the organization “will continue to operate systems manually until it is fully guaranteed that processes are safe.”

She noted that they saw an increased volume in fuel sales due to concerns about the potential for gas and oil to not be available widely. Throughout the weekend, RECOPE extended hours to facilitate the sale of fuel.

MICITT published its own statement saying its security team was assisting in the recovery effort and reiterating that there has been no impact on the supply of fuel in the country. MICITT has also had to publish several messages since the incident refuting rumors of other cyberattacks on national institutions. 

Costa Rica’s government was previously battered by multiple ransomware attacks that forced the recently elected President Rodrigo Chaves to declare a state of emergency in response to the overnight paralysis of critical government services.

The attack, launched by the Conti ransomware gang, affected the country’s tax system, Ministry of Transport, customs system, electricity, meteorological services, health system and more, according to Chaves.

The incident drew global headlines and became one of the first instances of the United States delivering significant help to a country following a ransomware incident. U.S. officials sent $25 million to bolster Costa Rica’s cyberdefenses and Costa Rica joined the Biden administration’s Counter-Ransomware Initiative. 

“We were attacked, affecting the backbone of the functioning of the state,” Chaves said during an interview last year with Nathaniel Fick, the U.S. ambassador-at-large for cybersecurity.