Leonardo Spa, all the details on the cyber attack
The explanation of what happened comes directly from the Postal Police Commissariat, which explains how CNAIPIC was involved in the investigation and how the arrest of the two identified perpetrators was also arrived at.
Leonardo Spa under cyber attack: all the details
It all began in 2017, when the group's experts reported anomalous traffic that deserved further investigation: few stations and little traffic, but still enough to raise a doubt that proved important for the purposes of what was later discovered. Traffic was directed to the fujinama.aletrvista.org site (now under seizure) through ad hoc software called cftmon.exe.Subsequent investigations have reconstructed a much more extensive and severe scenario. In fact, the surveys have shown that, for almost two years (between May 2015 and January 2017), the IT structures of Leonardo S.p.A. had been hit by a targeted and persistent cyber attack (known as Advanced Persistent Threat or APT), since it was carried out with the installation in target systems, networks and machines, of a malicious code aimed at creating and maintaining active suitable communication channels to allow the silent exfiltration of significant quantities of classified data and information of significant corporate value. In particular, at the state of the acquisitions, it appears that this serious cyber attack was carried out by an IT security manager of Leonardo S.p.A., Mr. Arturo D’Elia, against whom the G.I.P. of the #Tribunale di Napoli has ordered the measure of pre-trial detention in prison.
The software turned out to be a real persistent Trojan, installed via simple USB sticks and designed to remain over time on the targeted stations . The software was able to intercept everything typed on the keyboard and capture screenshots, thus bringing out valuable information on the activities performed.
The investigations finally made it possible to reconstruct the attacker's antiforensic activity , which by connecting to the C&C (command and control center) of the “fujinama” website, after downloading the stolen data, remotely deleted all traces on the compromised machines. According to the reconstruction carried out by the Communications Police, the computer attack thus carried out is classified as extremely serious, as the surface of the attack affected 94 workstations, of which 33 located at the Pomigliano D'Arco company plant .
The managers active on the violated stations also had managerial duties and the stolen information related to "administrative / accounting management, the use of human resources, the procurement and distribution of capital goods, as well as the design of components of civil aircraft and military aircraft for the domestic and international market ". Sensitive material of potential strategic value for those who wanted to steal the company secrets.
Even more serious is the fact that the head of the Cyber Emergency Readiness Team, Antonio Rossi, has potentially carried out misdirection actions: his position will be evaluated following "serious evidence of guilt" related to various attempts to contaminate the evidence to try to obstruct the investigation.
All that remains is to discover the motive for everything and the instigators of the attack, in short .
Source: Postal Police Commissioner
