December was not an easy month for Italy in terms of cybersecurity. Several cyberattacks, targeting private companies, public healthcare services, and city administration services, wreaked havoc across the country. These incidents raised concerns on Italy’s capability to prevent and withstand attacks, and to protect the general public, not only when it comes to their data, but to their physical safety as well.

Conti ransomware strikes in Italy

On the 4th December, the Italian toy production company Clementoni suffered a cyberattack which was immediately recognised as being caused by the Conti ransomware. The bad actor responsible for operating Conti is thought to be the Russian hacker group Wizard Spider, based in St Petersburg, that was previously operating the Ryuk ransomware. Following the usual modus operandi of the hacker group, Clementoni was hit with the double extortion technique, meaning that the company’s data was not only encrypted, but also exfiltrated. The Conti operators managed to steal over 111 GB of data from the Italian company, which they will use to pressure the victim to pay the ransom by threatening to post the data publicly if their demands are not met.

Not even a week after the attack on Clementoni, the Conti operators published on their data leak site a small archive of data exfiltrated from the Comune di Torino, the city’s administration entity. While it was known that the Comune di Torino had suffered a first attack on the 15th November, and a second on the 29th November, it was not known that the bad actors responsible had managed to exfiltrate data. As a matter of fact, following the attack, the Comune di Torino assured the general public that no data had been compromised during either of the two attacks, and that some services would be temporarily unavailable just to allow experts to investigate the attack, isolate the infected machines and contain the spread of the malware. The following day all services were resumed, but only two weeks after the first attack, a second attack halted operations again. The provincial council member for Security Gianna Pentenero disclosed it could take up to 500 days to restore the whole network after the attack. Although it was assured that no data had been compromised, the post on the hacker group’s data leak site painted a very different picture. The file was as small as 10 mega byte, but it appeared to contain users’ personal information, including some citizens’ home addresses and applications for reimbursements. This file is most likely just a small sample published to pressure the victim into paying the ransom, and more data might be released in the near future.

Grief and Hive strike in Italy too

The Conti ransomware operators seemed to not be the only ones to have targeted Italy this December. On the 5th December, a hacker group going by the name of Grief posted on its data leak site on the Tor network a sample of data, claiming it belonged to the Italian company Ornatop. Born in Pesaro in 1994, Ornatop is now one of the leading companies in Italy in the manufacturing of kitchen worktops. It is not clear when or how the attack occurred, nor what data was compromised, as the company has yet to release a public statement. The three files posted as sample by the hacker group appeared to contain information on the company’s taxes and clients' invoices, which included some company and personal names, addresses and some fiscal codes. Among the cybersecurity community, there is speculation that Grief could be the same hacker collective as the infamous Russian group Evil Corp, first active in 2009. The two hacker groups seem to share several similarities, both in their behaviour and in the ransomware tools they use. The rebranding with a different name might be caused by the sanctions imposed on Evil Corp by the US government, which prohibited any transaction with the group, therefore making it illegal for victimised American companies to pay ransoms to Evil Corp.

Italian healthcare services were not spared in this month of cyberattacks. At the beginning of December the ULSS number 6 Euganea, located in Padova in the northern region of Veneto, was targeted by a ransomware attack. In Italy, ULSS stands for the local health and social care service, an organ of the state administration in charge of delivering healthcare services to the general public. The ULSS6 first disclosed the occurrence of the attack through a Facebook post on the 3rd December, informing the general public that the majority of servers would be taken offline to allow experts to resolve the issue. The post stated that this would only take a couple of hours, during which several services would not be available, including laboratory testing services, and booking services for specialistic examinations, blood test appointments, covid test appointments, and some vaccination appointments. Over 60 experts worked to understand the ransomware attack, and to restore all infected machines. Regardless, several services remained inoperative, or severely delayed, for a week, while other services were able to resume, just without the possibility of using digital systems. At the time of writing, it is still not clear which data type, and what amount of data, was compromised during the attack. By the 6th December however, it became clear that the bad actor behind the attack was the hacker group Hive, when the group claimed responsibility on its data leak site on the Tor network. Hive was first observed in June 2021, and is therefore a new actor in the ransomware community, but it quickly gained notoriety for its ruthless nature as it targeted several healthcare providers, causing disruptions and halting essential services. The group is also known for using the double extortion technique, which appears to have been used in the attack against ULSS6 as well, although no sample data has been published yet. In the post on the group’s data leak site, Hive offered the link to the affected organisation, however the link led to ULSS number 2, Marca Trevigiana, rather than ULSS6 Euganea. It is not yet clear whether this is simply an error, or if it means Hive was able to move laterally and affect other healthcare organisations.

Italy and cyberattacks

Italy is the 4th country with the highest number of malicious detections in the world, and 2nd in Europe only after Spain. Italy is also one of the countries most targeted by ransomware attacks in the world. The Italian Minister of technological innovation and digital transition Vittorio Colao, disclosed in June 2021 that around 93-95% of servers belonging to the state administration are not secure, and are therefore vulnerable to attacks. On the 4th August 2021 Italy introduced the ACN, the national cybersecurity agency, with the aim of promoting the knowledge on cybersecurity both in the public and private sectors, to increase the security level of the country, and to envision and apply prevention, monitoring, detection and mitigation tactics against cyberattacks. While this is a step in the right direction, it comes with a severe delay compare to other European countries. The four cyberattacks discussed above raise concerns on whether in 2021 Italy has the ability to apply security measures that are adequate to face the evolving cyberthreats, and to protect private and public systems from malicious attacks.

The information contained in this article is provided by White Blue Ocean, part of CRIF Group, a global company specializing in credit & business information systems, analytics, outsourcing and processing services, as well as advanced digital solutions for business development and open banking.

Reference List:

https://www.bbc.com/news/technology-59297187

https://clusit.it/rapporto-clusit/

https://www.cybersecurity360.it/cybersecurity-nazionale/ecco-lagenzia-per-la-cybersicurezza-nazionale-come-cambia-la-sicurezza-ciberne

https://www.forbes.com/sites/teakvetenadze/2021/10/27/russian-cyber-gang-grief-claims-ransomware-attack-on-nra/?sh=6e8711b62423

https://www.giornalettismo.com/attacco-hacker-torino-russi-cosa-e-successo/

https://www.ilcittadinoonline.it/scienza-e-tecnologia/informatica/conti-pubblica-una-preview-del-leak-del-comune-di-torino/

https://www.ilfattoquotidiano.it/2021/12/04/padova-attacco-hacker-allunita-locale-socio-sanitaria-attivita-sospese-per-ore-si-rischia-di-perdere-i-dati-il-virus-chiede-un-riscatto/6414822/

https://www.ilmessaggero.it/tecnologia/moltofuturo/cybersecurity_sicurezza_attacchi_informatici-6209968.html

https://www.ilsole24ore.com/art/allarme-esperti-attacchi-cyber-l-italia-non-e-pronta-ma-nessun-paese-e-AEP7m0r?refresh_ce=1

https://www.lastampa.it/torino/2021/11/16/news/torino-sotto-attacco-cyberpirati-russi-bloccano-il-comune-1.40926524

https://www.liberta.it/news/green-future/2021/07/06/attacchi-informatici-italia-tra-le-piu-colpite-nasce-lagenzia-per-la-cybersicurezza/

https://medcitynews.com/2021/09/hive-is-a-new-potentially-devastating-type-of-ransomware-heres-what-you-need-to-know/

https://www.redhotcyber.com/post/incidente-di-sicurezza-alla-ulss6-hive-leaks-ransomware

https://www.redhotcyber.com/post/clementoni-vittima-ransomware-conti

https://www.rte.ie/news/crime/2021/0518/1222349-ransomware-crime-group/

https://threatpost.com/ryuk-earnings-trickbot/140823/

https://theloadoutblog.com/2021/11/01/hacker-group-grief-holds-nra-documents-hostage-after-alleged-ransomware-attack/ 

https://www.torinoggi.it/2021/11/29/leggi-notizia/argomenti/cronaca-11/articolo/venerdi-nuovo-attacco-hacker-ai-pc-del-comune-non-sono-stati-trafugati-dati.html

https://torino.repubblica.it/cronaca/2021/11/15/news/uffici_dell_anagrafe_sotto_attacco_hacker_saltano_tutti_gli_appuntamenti-326437702/

The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.