Costa Rica-China Diplomatic Tensions Escalate Over Alleged State-Linked Cyberattack on ICE
A cyberattack targeting Costa Rica’s state-run electricity and telecommunications provider, Instituto Costarricense de Electricidad (ICE), has sparked a diplomatic dispute between Costa Rica and China. On March 12, Costa Rican authorities publicly attributed the breach to UNC2814, a cyberespionage group with suspected ties to China, prompting Beijing to demand evidence and reject the allegations.
The attack, first detected in late January, involved the exfiltration of nine gigabytes of internal email data from ICE’s administrative systems. Despite the breach, officials confirmed that critical infrastructure including electricity generation and telecommunications services remained operational, with no disruption to customer data or services. ICE Executive President Marco Acuña Mora emphasized that the incident did not compromise sensitive information or service delivery.
Costa Rica’s attribution to UNC2814 was based on intelligence shared by Mandiant (Google’s cybersecurity division), which has tracked the group since 2017. In February, Google announced it had disrupted a global cyberespionage campaign linked to UNC2814, which had targeted telecommunications providers and government entities across 42 countries on four continents. Costa Rican Minister Paula Bogantes Zamora noted that the group specializes in operations against the telecom sector, aligning with the ICE breach.
China swiftly denied involvement, with Ambassador Wang Xiaoyao calling the accusations "unfounded" and demanding Costa Rica provide technical evidence to substantiate its claims. The Chinese embassy stated it had received no prior requests for investigative cooperation from Costa Rican authorities and warned against "politicizing cybersecurity issues." Beijing also highlighted its repeated attempts since 2024 to engage Costa Rica in cybersecurity cooperation, including proposed UN-backed frameworks and a bilateral joint commission efforts it claims were ignored.
The dispute underscores broader tensions over cyberespionage attribution, with China advocating for legal and diplomatic resolutions over public accusations. The embassy’s statement framed the allegations as potentially damaging to China-Costa Rica relations, suggesting external pressures may be influencing the narrative. Meanwhile, Costa Rica’s reliance on private-sector threat intelligence (Mandiant) rather than direct evidence-sharing with China has further complicated the standoff.
Source: https://thecyberexpress.com/ice-cyberattack-china-costa-rica/
Instituto Tecnologico de Costa Rica cybersecurity rating report: https://www.rankiteo.com/company/instituto-tecnologico-de-costa-rica
"id": "INS1773649442",
"linkid": "instituto-tecnologico-de-costa-rica",
"type": "Cyber Attack",
"date": "3/2026",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'industry': 'Electricity and Telecommunications',
'location': 'Costa Rica',
'name': 'Instituto Costarricense de Electricidad (ICE)',
'type': 'State-run utility provider'}],
'customer_advisories': 'Assurance that customer data and services were '
'unaffected',
'data_breach': {'data_exfiltration': 'Yes (nine gigabytes)',
'sensitivity_of_data': 'Non-sensitive (administrative emails)',
'type_of_data_compromised': 'Internal email data'},
'date_detected': '2024-01-01',
'date_publicly_disclosed': '2024-03-12',
'description': 'A cyberattack targeting Costa Rica’s state-run electricity '
'and telecommunications provider, Instituto Costarricense de '
'Electricidad (ICE), has sparked a diplomatic dispute between '
'Costa Rica and China. The breach, attributed to UNC2814 (a '
'cyberespionage group with suspected ties to China), involved '
'the exfiltration of nine gigabytes of internal email data '
'from ICE’s administrative systems. Critical infrastructure '
'remained operational, and no customer data or services were '
'disrupted.',
'impact': {'brand_reputation_impact': 'Diplomatic tensions, potential '
'reputational damage due to allegations',
'data_compromised': 'Nine gigabytes of internal email data',
'operational_impact': 'No disruption to electricity generation or '
'telecommunications services',
'systems_affected': 'Administrative systems (non-critical '
'infrastructure)'},
'initial_access_broker': {'high_value_targets': 'Telecommunications '
'providers, government '
'entities'},
'investigation_status': 'Ongoing (diplomatic dispute unresolved)',
'motivation': 'Espionage, State-sponsored intelligence gathering',
'post_incident_analysis': {'root_causes': 'Suspected state-sponsored '
'cyberespionage targeting '
'administrative systems'},
'references': [{'source': 'Mandiant (Google)'},
{'source': 'Costa Rican Government Statements'},
{'source': 'Chinese Embassy Statements'}],
'response': {'communication_strategy': 'Public attribution, diplomatic '
'statements',
'third_party_assistance': 'Mandiant (Google’s cybersecurity '
'division)'},
'stakeholder_advisories': 'Diplomatic advisories between Costa Rica and China',
'threat_actor': 'UNC2814',
'title': 'Alleged State-Linked Cyberattack on Costa Rica’s ICE',
'type': 'Cyberespionage'}