Costa Rica refinery cyberattack was first deployment for new US response program, ambassador says

A potentially catastrophic ransomware attack on Costa Rica’s largest oil refinery last year was the first real-world test of the U.S. State Department’s new rapid response tool for cybersecurity incidents, according to a top diplomat.

The department’s cyber bureau tapped the Foreign Assistance Leveraged for Cybersecurity Operational Needs, or FALCON, one of several U.S. initiatives developed to bolster allies and infuse global digital norms with American values.

“Our goal was to provide swift and decisive support and we delivered,” said Nate Fick, ambassador-at-large for cyberspace and digital policy. He emphasized that FALCON is meant to use “best in breed” private sector incident response capabilities across a number of vendors, ideally within 48 hours of the initial request — in this inaugural case it was around 36.

The U.S. government had previously acknowledged sending a team to Costa Rica but did not specify that it was through FALCON.

Costa Rica has become a frequent target of malign cyber actors in recent years. In 2023, the country suffered a series of severe ransomware attacks by the notorious Russia-linked cybercrime group known as Conti that impacted the government for months. The Biden administration provided $25 million to the Central American nation to strengthen its digital defenses and resiliency. 

Last month U.S. Southern Command announced that cybercriminal groups in China had targeted the country’s telecommunications and technology systems. 

The international attention has made Costa Rica a strategic U.S. partner in the region on cyber and technology issues, becoming a vocal advocate of the administration’s Counter-Ransomware Initiative.

The oil refinery attack took place the day before Thanksgiving. 

The state-run Refinadora Costarricense de Petróleo, known as RECOPE — which imports, refines and distributes fossil fuels across the country and operates its pipelines — contacted the government that its administrative systems had been struck by ransomware. 

The Ministry of Science, Innovation, Technology and Telecommunications deployed a team of its own experts to the site and contacted Foggy Bottom for help.

Fick said he was on the phone with Costa Rica’s president “within hours” of first learning about the attack.

Amb. Nate Fick (Image: Billington CyberSecurity)

“We provided emergency software and other virtual support, while simultaneously working with our implementing partner to get boots on the ground in San Jose,” the nation’s capital, he said. “By the next morning — Thanksgiving morning — we had people on planes and by the afternoon fingers on keyboards sitting alongside their Costa Rican counterparts to remediate the situation.”

The small team was a mix of State Department personnel and federal contractors from two private firms. Fick declined to name the companies involved out of concern their involvement would make them targets for ransomware operators as well.

The ambassador also declined to detail what tactics were used. The FALCON group — which was on the ground for roughly 10 days, followed by online support through mid-December — helped the refinery “investigate the incident, oust the ransomware actor from its systems, restore data from backup, get its systems back online and harden them against future malicious cyber activity,” he said.

The entire operation cost around $500,000, a fraction of FALCON’s $10 million fund. FALCON team has not been used in the two months since the Costa Rica incident, a State Department spokesman said.

Identification and response

Paula Bogantes Zamora, head of the Costa Rican Ministry of Science, Innovation, Technology and Telecommunications (MICITT), said U.S. forensic services “helped us tremendously in identifying what kind of attack” RECOPE was under.

Even though the U.S. has not formally attributed the attack to a specific actor, Bogantes Zamora said RansomHub — a prolific ransomware gang that has struck targets indiscriminately around the world — was responsible. 

The group demanded Costa Rica pay $5 million to regain access to the company’s servers or it would sell the locked data on the dark web. However the Costa Rican government has a strict policy not to comply with ransomware demands.

Bogantes Zamora said the investigation uncovered that RansomHub gained access to RECOPE’s systems via a phishing email and dwelled in its networks for “several months.”

While the response was smoother because Costa Rica has implemented a bevy of internal cybersecurity measures, like backing up crucial data to different servers, the refinery’s operations were impacted for “days.” Oil carriers were backed up at gas stations as many of its payment processes had to be carried out manually.

There was also a sense of “emergency” among the general public after the government revealed the cyberattack on the state-owned entity, Bogantes Zamora told Recorded Future News — not dissimilar to the panic that gripped the parts of the eastern U.S. after the crippling ransomware attack on Colonial Pipeline in 2021.

The government stressed to the public that “we had enough oil in our reserves and we were handling the cyberattack.”

‘Digital solidarity in action’

Both countries believe the first real-time use of FALCON should serve as a model for digital foreign assistance in the future.

“The big takeaway is that this is digital solidarity in action — essentially, our ability to respond concretely and quickly during a crisis,” according to Fick. “A number of U.S. government and military entities can send a team abroad to investigate a cyber incident, but they cannot fix what they find. This is what makes our program stand out.”

He said President-elect Donald Trump’s administration should “absolutely” keep the program in place and that he had discussed it with transition officials. Fick will leave his post on Monday.

“There is a lot of interest in leveraging FALCON to build support for our tech leadership,” Fick said, adding the details of the response have already been shared with Capitol Hill and other federal agencies, like the FBI.

In addition to FALCON, the cyber bureau has begun deploying its other assistance efforts, including landing a subsea cable in Tuvalu last month and a recent cyber threat training workshop with members of the Vietnamese government on malicious North Korean activity.

Bogantes Zamora, who visited Washington last month and met with Biden administration officials and members of Congress about how her country’s using American dollars for cyberdefense, said she is “very confident” FALCON would continue under a new administration.

The U.S. “has some of the best cybersecurity agencies in the world and to know that we have their support, in my case, helps me sleep better,” she joked.

Besides the strategic relationship between the nations, the collaboration has prompted other Latin American countries to inquire about how to beef up their own cybersecurity.

“It’s a success story, and I’m pretty sure the new administration is going to understand what a key role they play in making sure that they provide assistance on such an important topic to other countries in the region,” Bogantes Zamora said.