Hacker attack, what happened and what we know. Summit in progress at Palazzo Chigi

A summit is underway at Palazzo Chigi with the undersecretary of the Prime Minister Alfredo Mantovano, the director of the National Cybersecurity Agency Roberto Baldoni and the director of the Information and Security Department Elisabetta Belloni on the issue of the hacker attack, which involved dozens of servers and sites in Italy and thousands around the world, a good 2100 (a number that is constantly increasing). The meeting is also convened “to confirm the promotion of an adequate protection strategy, which has already been in place for some time”. To have been exploited is a flaw in the VMware software, which two years ago had released an update patch, however ignored by many, perhaps too many users. For all the companies attacked, the message that appears is the following: “Red alert!!! We have successfully hacked your company. All files are stolen and encrypted by us. If you want to recover files or avoid file loss, please send 2.0 Bitcoin. Send money within 3 days, otherwise we will disclose some data and increase the price. If you don’t send bitcoins, we will notify your customers of the data breach via email and text messages.” The current exchange rate between bitcoins and euros provides that 2 bitcoins are equivalent to 42 thousand euros.

What happened in Italy

An attack that came to light on the day the Tim network went down leaving millions of users without internet and also causing disruptions to ATMs. However, both the company and the postal police have ruled out that the problem is due to an attack by computer pirates. However, today’s meeting at Palazzo Chigi demonstrates that the matter is serious, as does the information given by Prime Minister Meloni in the Council of Ministers in recent weeks. The alarm had come on Sunday afternoon from the National Cybersecurity Agency: the Computer security incident response team Italy, a body that monitors incidents and intervenes in the event of attacks, had discovered that the hackers had come into action through a “ransomware already in circulation”, which had attacked dozens of systems. In a note, the agency specifies that the attack is underway all over the world, in about 120 countries, and concerns “a few thousand compromised servers” “from European countries such as France – the most affected – Finland and Italy, up to to North America, Canada and the United States”. The first to notice, they add, were the French, “probably due to the large number of infections recorded on the systems of some providers”. Among the public users attacked we know that there is the municipality of Biarritz, in the south of the country. Furthermore, the experts of the Agency led by Roberto Baldoni had alerted various public and private subjects whose systems are exposed and therefore vulnerable to attacks, failing however to warn “some exposed, non-compromised systems, of which it was not possible to trace the subject owner”. It is therefore possible that other subjects are under attack, probably without their knowledge.

Italian expert downsizes scope

Cybersecurity expert Stefano Zanero spoke on a live social to clarify what happened: “A few thousand companies are interested in the world, but nothing new”. The associate professor of computer security at the Milan Polytechnic downsized the scope of the attack. “Technically, the aforementioned VMware platform was involved, used by systems engineers, also to manage internet services. The companies involved, a few thousand in the world, used systems that were not updated and exposed, i.e. vulnerable to problems known for a couple of years. This is a recurring scenario.What stands out in the analysis is that, over the weekend, there were at least 2,000 attacks, linked to ransomware launched by a group of cybercriminals who may have devised a new method to evade the victims’ defenses targeted”. According to Zanero, in Italy it is possible to estimate twenty to thirty companies theoretically involved, of which five more in the last few hours, with the virus which, if established, blocks the systems and asks for a ransom to get them back.

What hackers ask

The payment of 42 thousand euros by the hackers is each requested on a different digital wallet (sometimes 2.064921 bitcoins are requested, others 2.01584, but the price remains more or less the same). As highlighted by Luca Bechelli, cyber expert, on Cybersecurity360.it the attack is serious because “the target is one of the most widely used systems at the basis of the functioning of the infrastructures. In an organization, if you compromise this platform, you compromise most of the server systems. Furthermore, “it is based on a known vulnerability, and this increases the severity: organizations could have prepared in time. It should be noted that if this happened due to incompatibility of the update with the technologies used: in this case, organizations must choose between the risk of malfunctions (Freestyle of a few days ago) and the risk of attacks”

What to do with ransomware

The problem makes the reality of ransomware and digital blackmail even more evident, with Italy as the first country in Europe and seventh in the world by number of attacks (Trend Micro 2022 data). How to prevent these attacks? Corrado Giustozzi, popularizer and cyber-security expert, partner of Rexilience, points out in the Corriere how “there is no point in preaching nice things: there is still a sensational ignorance in companies and in the Public Administration on cyber security, which is seen by too many not as a strategic component for the very survival of these realities, but like something similar to light bulbs to be replaced or elevators to be fixed”. It is inevitable, according to Giustozzi, to launch at this point “an anti-attack legislation, which also prevents paying to feed a vicious circle, such as the kidnappings in the 70s”.