What we know about the Railways ransomware attack

What we know about the Railways ransomware attack

On the morning of 23 March, what apparently seems to be inefficiencies blocked some of the Trenitalia and Ferrovie dello Stato sales systems: self-service machines and ticket offices in the stations do not work. The reason, however, is another. Part of the ticketing network is shut down by the same company, which has identified machines affected by a ransomware attack aimed at the Italian railway network (RFI), the group company that deals with the infrastructure. An action to contain the cyber breach. And that in the group of cybercriminals Hive is responsible.

What we know A cryptolocker, a type of malware that encrypts the victim's data and asks for a ransom in exchange for the decryption key, is attacking the railway. An operation initially attributed, by a source close to the areas of security, to the news agency Ansa, a Russian hand. "At this moment we have no elements to establish the attribution", explains to sportsgaming.win Ivano Gabrielli, director of the Postal Police, whose National Cybercrime Center for the Protection of Critical Infrastructures (Cnaipic) is involved together with the newly created Agency for national cybersecurity (Acn) in the remedation and analysis of the violation.

“At the moment for us the maneuver is situated in the context of cybercrime”, adds Gabrielli. In an interview with Corriere della Sera, Roberto Baldoni, director of Acn, also confirmed "the criminal matrix". The main hypothesis being worked on is that the Hive ransomware gang is behind the violation, as emerged from the negotiation chats published by the Italian website Redhotcyber and subsequently confirmed to sportsgaming.win by sources engaged in the investigation. “In addition to the affected machines, linked only to certain segments, other areas have been segregated as a precaution”, explains the head of the Post. "The other online systems are operational", announced Ferrovie and plans to restore sales at the station as soon as possible.

The Hive group The dynamics of the violation remain to be clarified (how the cryptolocker has penetrated the systems di Ferrovie), the times and the hand. At first the finger was pointed at a Russian operation, with an implicit implication: the cyber attack is a retaliation for the high sanctions against Moscow after the invasion of Ukraine. Behind, however, there is a gang in the field of as-a-service ransomware, Hive, which has to its credit direct attacks against the electronics chain Media Markt (Mediaworld in Italy) and, among the last, Rompetrol, the most important Romanian oil refining company. As Arturo Di Corinto writes on Italian tech, Hive is "bold enough to link Twitter and Facebook on his site on Tor to allow anyone to post the news of the companies they blackmail on the most popular social networks and thus increase the pressure against them. ".

Hive has affiliates between Russia and Bulgaria, but it would have moved for the sake of profit as well. In a liquid sector such as that of cyber security, as well as premature, the attribution of this attack to Russian keyboards does not automatically open a new front of the cyber war that the Kremlin has unleashed against Kyiv. First of all, because Russian cybercriminal gangs have long been protagonists of the ransomware scene. In a recent survey, Chainalysis, a cryptocurrency company, estimated that 74% of all money earned through ransomware attacks in 2021, or more than $ 400 million, went to cyber criminals connected in some way. to Russia.

We know that some have taken the side of the Kremlin in the war in Ukraine. Above all, the Conti group that on February 25, the day after the invasion, had put on paper its full support for the conflict unleashed by Russian President Vladimir Putin, only to correct the shot a few hours later due to internal divisions and lower the tones. As 60 thousand chat messages inside Conti disclosed by a Ukrainian researcher infiltrated in the gang revealed, the group works like a real company and therefore it is necessary to weigh how much the affiliation to the Russian war is motivated by sincere political adherence or only by ' opportunity to make money in a precarious scenario.

Passwords revealed Corriere della sera mentions having viewed screenshots with a ransom request for the equivalent in bitcoin of 5 million euros within three days, but the Italian railway network (Rfi) has not confirmation provided. However, industry experts advise against giving in to extortion requests.

However, as the entrepreneur and digital teacher Matteo Flora tells us, at a certain point in the negotiation chat between the gang and the victim company, strange messages and trolls appear (Redhotcyber reconstructs them here). It would be intruders, who entered the chat because the passwords were leaked on Telegram, as reported by Redhotcyber, who immediately warned them to delete them. It is not yet known who shared this data. However, the reaction of the extortionists was to immediately raise the ransom figure to 10 million euros in bitcoin.

Critical infrastructures Since the outbreak of the war in Ukraine, the alert on cyber risks also in Europe and Italy has been maxim, As the director of the European Cybersecurity Agency, Juhan Lepassaar, explained to sportsgaming.win, we want to prevent a spillover from cyber attacks in Ukraine to the rest of Europe, as happened with the case of the Viasat satellite communications network .

In Italy, all those companies that fall within the perimeter of cyber security are monitored, such as the managers of critical infrastructures, such as telecommunications networks, public transport and financial services. In other words, all those entities whose "compromise creates a serious problem", as Baldoni summarized last year at the most important Italian conference on IT security, Itasec.

"The attack is worrying in several respects, first of all because it is an attack on systems that oversee the provision of a critical service - Pierluigi Paganini, cybersecurity and intelligence expert, explains to sportsgaming.win CEO of the Cybhorus company -. Although evidence emerged about the attack suggests that the company was hit by a financially motivated attacker, the Hive ransomware gang, it must be considered that other actors may have had access to the affected facility and remain silent to carry out subsequent attacks ".

For Paganini, access "may in turn have been shared within a criminal ecosystem that is difficult to analyze and which sees a fine line between cybercrime gangs and actors operating on behalf of governments. This scenario is very worrying because it could pave the way for future attacks if adequate remediation measures are not implemented. Another aspect to consider is the nature of the disclosed data of which little is known yet. The disclosure of information relating to the internal structure of Ferrovie could benefit future attackers by exposing the company to a high risk of attacks ". According to a recent report by cybersecurity company Trend Micro, Italy is the fourth country in the world and the first in Europe for the number of cyber attacks suffered.

12.30 update - The piece has been updated to reconstruct attribution to the Hive group.






Powered by Blogger.