In May, Costa Rica came under attack from a foreign terrorist organization. Costa Rican president Rodrigo Chaves declared a national emergency and stated that his country was “at war.” The government seemed to be on the brink of collapse. Chaves called the attacker an “international terrorist group.” However, this was not a typical terrorist attack. There were no bombings, shootings, or plane hijackings. This terrorist attack on a democratic nation came from cyberspace.
The Russian-speaking ransomware gang, Conti, launched a sophisticated cyberattack on numerous Costa Rican government agencies. The attack left the Costa Rican government paralyzed and reeling for weeks. The Ministry of Finance’s digital services were impacted, which meant that the government could not process tax payments. Many Costa Rican citizens could not fill their prescriptions since the government’s digital healthcare services were down. More than twenty-five Costa Rican governmental agencies were impacted by the cyberattack. This attack was a serious infringement of Costa Rican sovereignty and put the lives of ordinary Costa Ricans in jeopardy.
Conti has also wreaked havoc on the U.S. healthcare system. Since 2018, Conti has launched more than 200 cyberattacks against hospitals and healthcare facilities across the United States, costing an estimated $500 million. In addition, Conti attacked Ireland’s public health system in 2021 and caused major disturbances to Irish healthcare services. All of this happened amidst a global pandemic when healthcare was most needed. Meanwhile, the cybersecurity firm Chainalysis estimated that Conti brought in around $180 million in revenue in 2021. Is it time to start thinking of these cyberattacks as terrorist attacks?
It is common knowledge amongst cybersecurity specialists that many of these cybercriminal groups are based in Russia. President Vladimir Putin’s intelligence services and security agencies share cyber know-how and often financially support non-state hackers. During Russia’s invasion of Ukraine, Putin’s regime has encouraged Russian-speaking hacker groups to attack any foreign countries that support Ukraine. Costa Rica, a U.S ally and vocal critic of the Russian invasion, appears to have been one of the main targets. Costa Rica does not have a standing army so it relies on international law and security guarantees to ensure its territorial integrity. The Russian invasion of Ukraine erodes global norms of national sovereignty and puts anti-militarist nations in an existential crisis, which has made Costa Rican government officials voice their ardent opposition to Russian aggression in international forums. In addition, developing nations such as Costa Rica are often more lax in their cybersecurity measures as they undergo transitions to digital-oriented economies. If this major cyberattack can happen to the small non-interventionist nation of Costa Rica, other developing nations need to be on alert and take a more proactive approach to bolster their cybersecurity defenses.
Conti raises important questions about the future of cyberterrorism. Given Conti’s known sympathies for the Putin regime and its ad hoc links with the FSB, the Conti ransomware group should be labeled as a foreign terrorist organization by the U.S. government and be placed on the official list. In order to qualify as a foreign terrorist organization (FTO), a group must fulfill three criteria: the organization must be a foreign organization, the organization must engage in terrorist activity or retain the intent to engage in terrorism, and the organization must threaten the national security of the United States or the lives of its citizens. Given Conti’s demonstrated aggression against Costa Rica and its attacks on U.S. critical infrastructure, it is clear that the pro-Putin cybercriminal gang hopes to achieve both political and financial goals.
The Russian government has an unofficial pact with domestic cybercriminal gangs. These groups are allowed to attack businesses and government agencies in Western countries so long as they do not target entities that are friendly to the Kremlin. This partnership presents a win-win scenario as Moscow purposely uses Russian cybercriminals to avoid responsibility for major cyberattacks in the West. However, since the Russian government has increasingly sought closer links with the cybercriminal underworld, it is time for the international community to see Russian cybercriminal gangs as affiliates of the Putin regime.
Officially designating such groups as foreign terrorist organizations would send a message to cybercriminals that their actions are terroristic in nature and known members will be treated like terrorists. Being placed on the FTO list would also mean sanctions and financial restrictions on such groups. One of the reasons why such ransomware groups persist is because many businesses and governments pay the ransoms that ensure their survival. To cut off their financial means, Western private and public sector industries should see the payment of ransoms as funding terrorism. Given the imperial ambitions of Putin, reframing Russian cybercriminals terrorists is an unfortunate necessity in the twenty-first century.
Benjamin R. Young is an assistant professor of homeland security and emergency preparedness in the Wilder School of Government and Public Affairs at Virginia Commonwealth University. He is the author of the book Guns, Guerillas, and the Great Leader: North Korea and the Third World, and his writing has appeared in a range of media outlets and peer-reviewed scholarly journals. Follow him on Twitter @DubstepInDPRK.