Colombia fights back from devastating ransomware attack

Supply chain attack claims ‘greatest treasure’

In early September 2023, Colombia suffered a massive third-party ransomware attack that went to the heart of the country’s infrastructure and government services.

Threat actors gained access through IFX Networks, an internet service provider, in what’s known as a ‘supply chain attack’.

The Colombian government alleges that the attack happened as a direct result of IFX’s negligence, and that its communication with the government and other victims afterwards was insufficient. The government has already announced its intention to take legal action against IFX.

Colombian President Gustavo Petro was at the United Nations headquarters in New York as events unfolded. Although he did not name IFX directly, he said that the scale of the attack demonstrated that the company “did not have the right cyber security measures in place.” Whether that is true or not remains to be seen, but the reputational damage to IFX has already been done.

The Office of the President later released a statement, which claimed that the ransomware attack affected, “762 companies in Latin America, with IFX supplying data to a total of 17 countries on the sub-continent.” Entities in Argentina, Panama and Chile are also thought to have been swept up in the attack.

Speaking to Caracol Radio, Colombia’s Information and Telecommunications Minister Mauricio Lizcano said, “When a government or private entity gives a company its data, it is its greatest treasure. And the company must take every precaution [to ensure] that this information is not lost.”

Law and disorder

Recovery will be a slow and complicated process. The Colombian government alone suffered damage to at least 32 of its most important websites, including those of:

• the Ministry of Health, including that of the Superintendence of Health and several private hospitals;
• the competition regulator (the Superintendence of Industry and Commerce);
• the Judicial Branch Services, including the Superior Council of the Judiciary; and
• the stock market authority.

Fuelling government anger is the effect the ransomware attack has had on the day-to-day running of the country and its economy.

For example, two million legal processes were suspended for seven days because the judicial branch’s web portals were completely frozen, and there was no way to determine the status of proceedings currently in the system.

Many health centres also lost their online services, meaning that patients could not request appointments or prescriptions, and doctors could not access medical records.

The Ministry of Information Technology has warned that the personal health data of an unspecified number of Colombians is now in circulation on the Dark Web.

Counting the economic cost

Perhaps most significant of all was that the hacking doubled the delay in Colombia’s foreign trade procedures:

• Exporters requiring permits from the Colombian Agricultural Institute (another of the affected entities) found that acquiring the permits manually took almost twice as long, and that in some cases necessary information was simply not available.
• Imports into Colombia requiring permits were also delayed.

No figure has been placed on just how much the attack has cost Colombia’s government and businesses so far, though the reality is that the final amount will never be known.

National Security and Space Affairs Agency fails to launch

Colombia’s legislature had recently failed by one vote to approve a new ministry dedicated to cyber security. Among those angered by the failure was Saúl Kattan Cohen, one of Colombia’s most prominent businesspeople and an adviser to President Petro. In the wake of the IFX attack, Mr Kattan took to social media to declare that the creation of a National Security and Space Affairs Agency was now “urgent”.

That the NSSAA came so close to being voted through may be because this cyber attack is not the first Colombia has had to endure on a state level. In 2018, the country’s elections were thrown into chaos by tens of thousands of cyber attacks on its voter registration systems. 

A worldwide problem

It may be cold comfort to Colombia, but it is not alone. Other governments afflicted by ransomware attacks in recent years include Sri Lanka, the Dominican Republic, and Costa Rica — which was essentially shut down after it refused to pay a US$20m ransom to a Russian hacking group in April 2022.

New Zealand’s stock exchange, NZX, was knocked out for two days running in 2020 by a DDoS attack. Telling a now-familiar story, NZX said it had been the victim of an offshore supply chain attack via its network service provider.

It is now clear that threat actors find no target too big or too small to be worth aiming at. Being a good global citizen will require organisations of all sizes to take a more strategic, co-ordinated and considered approach to building their cyber security defences. It is the only way to protect themselves, and their wider supply chain networks.