News of the latest cyberattack comes from Italy, where on the afternoon of the 20th October it was disclosed that SIAE, the Italian Society of Authors and Publishers, was targeted by a ransomware attack. SIAE, which was founded in 1882, is the Italian copyright collecting agency for artists in different areas of the entertainment industry, including television, music, theatre, visual arts and literature, and aims to guarantee that artists receive the right remuneration for their work .

The ransomware attack 

According to initial reports, the process of unauthorised data exfiltration began on the 18th October, and ended up resulting in over 60 GB of data belonging to artists and employees being stolen from SIAE. Shortly after, a hacker group by the name of Everest claimed responsibility for the attack and confirmed the group exfiltrated 60 GB of data including ID cards, passports, driver licences, financial data, credit card information, work contracts and more sensitive user information. The hacker group, as is often the case with ransomware attacks, engaged in the practice of "double extortion" by demanding a ransom of €3 million in bitcoin from SIAE, in addition to threatening to sell the data if the ransom is not paid. To prove this, the hacker group advertised the data for sale on their leak disclosure site on TOR, and offered a sample of the data to prove its authenticity. Contrary to typical ransomware attacks, the Everest group did not encrypt SIAE's data, but simply exfiltrated it. According to different sources, at the moment Everest is threatening to sell 28,000 files of compromised data for the price of €430,000 ($500,000), significantly lower than the ransom payment requested from SIAE.  

Previous phishing attacks on SIAE 

The managing-director of SIAE, Gaetano Blandini, confirmed the occurrence of the attack, and stated that the company has no intention of paying the €3 million ransom. He added that the breach was reported to both the Italian Privacy Guarantor and to the appropriate authorities, who are now investigating the matter. SIAE is now seeking to discover the exact extent of damage caused by the attack. It is worth noting that this cyberattack does not appear to be an isolated incident. In the weeks preceding the attack, SIAE had noticed, and warned, its associates and users that bad actors were carrying out a phishing attack on users by pretending to be SIAE and inviting them to click on a link to sign a petition. On the 29th September SIAE had published warnings to alert users of the phishing attack both on their official website, and on their official Twitter page. It is hypothesised that it was exactly through a phishing attack that the hacker group managed to compromise SIAE's database. It therefore appears that the phishing campaign which occurred at the end of September could be strongly linked to the mid-October cyberattack, and most likely played a crucial role in allowing the bad actors to find vulnerabilities in SIAE's systems to exploit. Cybersecurity experts are strongly advising SIAE to deliver up-to-date cybersecurity training to help employees identify phishing attacks and avoid a similar incident in the future.

Who is Everest?

According to different reports, the hacker group Everest does not appear to be new to the hacking scene, as it was first noticed in 2018 and initially went by the name Everbe. The hackers in the group, who are thought to be Russian, are motivated by financial gain, and seem to be trying to improve their reputation in the hacking community and gain more visibility. Everest typically engages in phishing, ransomware, social engineering and DDoS attacks. The choice of attacking an Italian company has raised some questions among cybersecurity experts, as the group is known to mainly target victims who are based in Canada. The group is said to be opportunistic in its search for targets, as many of its ransomware victims were selected solely on the account of their lower-than-optimal cybersecurity practices. In addition, the group is known to put pressure on their victims when threatening them with "double extortion", by reminding them of the reputational damage they will incur, if the ransom is not paid and the data is leaked or sold to the public. Cybersecurity experts have highlighted the risks that users who had their data compromised in the attack might face if SIAE does not pay the ransom and the data is leaked. The exfiltrated data could be used to by bad actors to commit fraud and identity theft.

The cyberattack suffered by SIAE is the latest example of the growing trend of ransomware attacks, and demonstrates the increasing value that personal information holds in underground communities. The attack on SIAE occurred in Italy not long after Lazio region's websites were targeted by bad actors in August, leading to the momentary disruption of the vaccination campaign portal and other healthcare services. Both instances demonstrate the vulnerability of Italy to cyberattacks and highlight the need to allocate an increasing level of attention and of resources to face cyber threats.  

Reference list

https://www.bankinfosecurity.com/ransomware-newcomers-include-pay2key-ransomexx-everest-a-15908

https://www.corriere.it/tecnologia/21_ottobre_20/siae-attacco-hacker-a152c5e2-3194-11ec-8ced-72436ce4862e.shtml?refresh_ce

https://en.cryptonomist.ch/2021/10/20/hacker-attack-against-siae-ransom-requested-in-btc/

https://www.hg.org/legal-articles/cybersecurity-the-italian-paradise-for-hackers-41710

https://www.italy24news.com/News/229954.html

https://quifinanza.it/innovazione/video/siae-attacco-hacker-artisti/544776/

https://www.repubblica.it/cronaca/2021/10/20/news/attacco_hacker_al_sito_web_della_siae_richiesto_riscatto_in_bitcoin-323069119/

https://www.repubblica.it/tecnologia/2021/10/20/news/attacco_hacker_contro_siae_chiesti_3_milioni_di_euro_in_bitcoin-323091002/

https://www.siae.it/it/iniziative-e-news/phishing-ai-danni-di-siae

https://www.soundsblog.it/post/siae-attacco-hacker-dati-artisti-riscatto-cosa-e-successo

https://twitter.com/SIAE_Official/status/1443235185596764160

https://thecoinweekly.com/hacker-attack-against-siae-ransom-requested-in-bitcoin/

https://www.zdnet.com/article/heres-a-list-of-all-the-ransomware-gangs-who-will-steal-and-leak-your-data-if-you-dont-pay/

https://www.wired.it/internet/web/2021/10/20/siae-attacco-ransomware/?refresh_ce=