Costa Rica’s state oil refinery RECOPE switched to manual operations Wednesday after a ransomware attack targeted its computer systems, marking the second cyberattack on a major government institution this month. While fuel sales continue without interruption, RECOPE has directed all staff to avoid using digital platforms as cybersecurity teams assess the damage from the early morning attack on November 27.
The incident, confirmed by both RECOPE and the national Computer Security Incident Response Center (CSIRT), follows a similar attack that disabled online services at the General Directorate of Migration (DGME). “RECOPE clarifies to the population that fuel sales continue to operate manually, without affecting the supply or service to its users,” the institution stated. Bárbara MarÃn, RECOPE’s Head of Communications, added, “We have warned our clients and carriers coming to our plants about the necessary contingencies.”
Initial investigations suggest ransomware as the likely culprit, typically deployed through phishing emails, malicious downloads, or infected websites. This type of malware is designed to disable access to computer systems until a ransom is paid. The DGME attack, which preceded RECOPE’s incident, continues to impact public services. While critical systems for DIMEX processing, passport issuance, and border control remain operational, the agency’s website is offline, preventing access to online services such as appointment scheduling and immigration record checks.
Jean Paul San Lee, general director of the DGME, confirmed that despite website disruptions, office operations continue normally, maintaining essential services like migratory regularization and security controls. These back-to-back cyberattacks highlight an escalating threat to Costa Rica’s public institutions.
In recent years, major organizations including the Costa Rican Social Security Fund and Ministry of Finance have fallen victim to similar attacks, causing significant service disruptions. The incidents underscore the urgent need for enhanced cybersecurity measures to protect critical public services.
The CSIRT-CR team continues to work alongside RECOPE’s technical staff to evaluate the attack’s impact and implement recovery measures. Neither institution has provided a timeline for restoring normal digital operations.
