2 Charged With Hacking Italian Defense Contractor LeonardoPolice Say Backdoor Trojan Malware Spread Using USB Drive
Italian authorities arrested two employees of the Italian defense contractor Leonardo. One is accused of installing a backdoor Trojan into the company's systems and exfiltrating 10GB of data over a two-year period and the other allegedly attempted to cover up the breach, according to local law enforcement officials.
The Cybercrime Working Group of the Naples Public Prosecutor's Office reports Arturo D'Elia, an IT security manager with Leonardo, has been charged and detained in connection with the incident. The second individual, Antonio Rossi, has been placed under house arrest for giving false and misleading information in an attempt to hinder the investigations.
"The investigations showed that, for almost two years, the IT structures of Leonardo SpA had been hit by a targeted and persistent cyberattack (known as Advanced Persistent Threat or APT), since it was carried out with installation in target systems, networks and machines of a malicious code aimed at creating and maintaining active communication channels suitable for allowing the silent exfiltration of significant quantities of classified data and information of significant corporate value," Italian prosecutors say.
The stolen information included data from the company's human resources department and information on the procurement and distribution of capital goods, as well as the design of civil aircraft components and military aircraft for the Italian and international market along with credentials for accessing personal information of Leonardo S.p.A. employees, the prosecutors say.
No strategic or classified information was included in the data breach, Leonardo notes in a statement, as that level of data is stored in a network that is not connected to the factory, which is located outside of Naples, Italy.
Leonardo is a defense contractor specializing in aerospace, maritime and cybersecurity with more than 44,000 employees worldwide and revenues of about $16 billion, according to the company.
An Insider Threat
The intrusion into Leonardo's systems ran from 2015 to 2017 and was detected when the company's cybersecurity team noticed anomalous network traffic leaving workstations located in the company's Pomigliano d'Arco plant.
The company says the attacker used a USB key to install the malware onto workstations that then pulled data whenever the computer was activated. Overall, 94 workstations were involved, 33 located at the Pomigliano plant and the remainder at other Leonardo facilities. An additional 13 computers belonging to the telecom Alcatel were also infected.
"In January 2017 the cyber security structure of Leonardo SpA reported anomalous network traffic, outgoing from some workstations of the Pomigliano D'Arco plant, generated by an artifact software called 'cftmon.exe,' unknown to company antivirus systems," prosecutors say.
The data was then exfiltrated to a command-and-control server using the website www.fujinama.altervista.org, which was also seized during the operation, prosecutors report.
The workstations were used by company managers involved in the production of defense products, Leonardo says.
Leonardo reports it is continuing its cooperation with local law enforcement agencies.
Neither the company nor the prosecutors indicated what happened to the data once it was removed from the company's network, but any information related to defense is highly prized (see: Defense Contractor Hacking More Expansive Than First Thought)).
An Unknown Malware
Authorities are still in the process of deconstructing the malware used in the incident, which has not been spotted before. What is known is the malware was contained in a USB drive and then manually inserted into the targeted computers. Once downloaded, it maintained persistence and activated whenever the unit was being operated.
The malware could log keystrokes and take screengrabs, the prosecutors report. Once the information was exfiltrated, the attacker, using the command-and-control server, deleted the malware.
"Confidential company data of Leonardo SpA's Pomigliano D'Arco plant were thus in fact in full control of the attacker, who, thanks to his corporate duties, was over time able to install multiple evolutionary versions of the malware, with capacity and effects always more invasive and penetrating," the prosecutors say.