IOTW: Hackers Target Italy

Italy has been the victim of two ransomware attacks this month. The first blocked a COVID-19 booking system, which is not only a public health hazard but interferes with Italy's recent healthcare mandate which requires vaccinations. Separately, renewable energy group ERG was also victimized. However, those disruptions were minor. 

The Facts

On August 1, the Lazio region's health manager Alessio D'Amato said in a Facebook post, "A powerful hacker attack on the region's CED is underway. It is a very powerful hacker attack, very serious…everything is out." Hackers disrupted the IT systems used for vaccine bookings. Rome is located in the Lazio region.

Recently, Italy followed France in requiring vaccine passports for certain activities. However, the mandate was followed by public protests across the country. Meanwhile, the malware attack is preventing citizens from getting vaccinated. 

Italy's cybercrime police have not identified the perpetrators yet, but they do know they are from a foreign country. The half million citizens who previously booked COVID-19 appointments through August 13 can still keep them.

Apparently, no data has been stolen but a general ransom demand has been made, the amount of which has not been disclosed yet. Local authorities also know that CryptoLocker malware was installed, which encrypted files and disrupted systems. Though the affected systems have been isolated, the path in has not been identified yet, leaving an open door for more damage to occur.

Emergency services are still functioning, but the concern is that the encrypted files will be corrupted. Hackers are still inside the system.

At present, the U.S. Federal Bureau of Investigation (FBI) and Interpol are assisting Lazio law enforcement. 

On August 4, Italian newspaper La Repubblica reported that ERG had been hit with a ransomware attack by ransomware group LockBit 2.0 on July 30 which impacted the companies information and communications (ICT) network. It also confirmed that all plants were still functioning normally. LockBit reportedly started offering ransomware as a service in June 2021.

ERG is one of the top 10 onshore power operators in Europe.

Lessons Learned

No organization is safe from a cyberattack. While some of the more high-profile cases are associated with infrastructure and supply chain, there are other targets which, if successfully attacked, can fuel social unrest (Lazio is a case in point). CISOs and their staffs need to think like a white hat and a black hat, simultaneously, irrespective of industry.

Quick Tips

• Back up data.

• Pen test systems.

• Scan for vulnerabilities.

• Engage in threat hunting.

• Update antivirus and anti-malware software and scan regularly. 

• Take advantage of red teams and blue teams, or better yet, purple teams.

• Check to ensure that incident response plans cover multiple possible cyberattack scenarios.

• Ensure security policies reflect current threats.

• Patch.

• Use MFA.

• Ensure access permissions are limited to only authorized users.

• Monitor network, application, and user behavior.

• Do not pay a ransom. (Some organizations previously hit with a CryptoLocker ransom paid but were never provided with a decryption key.)

• Beware of renaming files encrypted by hackers because it could result in corrupted data.

• If breached, report the incident to law enforcement even if there's no damage because it may help in the identification, arrest and incarceration of cybercriminals.

• Regularly conduct cyber hygiene refresher courses for all staff on a regular basis. All employees should be required to attend training and pass tests.