Italian institutions under cyber attack: published the data of the Municipality of Palermo, the University of Pisa victim of a ransomware

Italian institutions under cyber attack: published the data of the Municipality of Palermo, the University of Pisa victim of a ransomware

Italian institutions under cyber attack

The cyber attack against some important Italian institutions continues: Vice Society hackers have made public thousands of documents stolen from the Municipality of Palermo - in addition, a cyber attack is underway at the University of Pisa, victim of a ransomware (a particular type of computer virus that steals and encrypts the victim's data in order to obtain the payment of a ransom) by the ALPHV / Black Cat group. The news is being updated on this latest attack. The group announced that the University of Pisa was among its victims yesterday around 5.30 pm, posting a notice on the dark web.

The first sample images of stolen data were released this morning around 8.15am. There are screens with login information - including plaintext passwords - of some University services and a screenshot of a list of files which, judging by the names, could contain sensitive data of students and researchers.

The file list reported by Black Cat / ALPHV. Source: redhotcyber.com

The Black Cat / ALPHV ransomware group began operations last year, and has been linked to the attack on the Colonial Pipeline (an oil pipeline serving the southern United States) in May 2021. According to analysts, in fact, Black Cat is very close to DarkSide / Black Matter, the gang responsible for hacking the infrastructure. In an interview with The Record, a representative of Black Cat admitted that this relationship exists, even if it is not a rebranding of the same group.

In Palermo, on the other hand, where the IT services of the municipal administration were under attack since June 2, the data have been published. Council's website is back online, but before the countdown expires, Vice Society released the stolen information. It is assumed that it is due to a lack of agreement with the municipality on the payment of the ransom. Cybercriminals claim that this is a "first part of the data": a new batch of publication will arrive today. Data stolen and made available to the public includes names, emails, municipal employee qualifications, salary trends, clinical and health information, telephone numbers, ID cards, passports and balance sheet information. The information can be found online by anyone with access to the dark web, through the Tor browser, without any need for a user or password.

Image from Vice Society page dated 11 June 2022. Yellow reads “The first part of the information kindly shared with you by the representatives of this company has been published. There will be new ones tomorrow ". Source: redhotcyber.com

The Palermo prosecutor has opened a file for illegal access to a computer system aggravated by terrorist purposes. The Vice Society group had already been responsible in April for an attack on the Italian Banking Association, in which sensitive financial information and credit card numbers were stolen. It is considered to be one of the most ruthless cybercriminal groups around.





Palermo ransomware attack: Vice Society claims responsibility as city details recovery strategy

Palermo

The Italian municipality is attempting to defy attackers by restoring its systems from backups

Pro

Image: Getty via Dennis


The cyber attack on the Italian municipality of Palermo has been confirmed as a ransomware incident, with Vice Society claiming responsibility.


The incident appears to be an example of double extortion ransomware, given that Vice Society’s victim page indicates that a set of documents belongong to Palermo woulid be published at on Sunday 12 June. Accordin to a report on Italisn newspaper La Stampa, this has taken place.


The city issued a press release Thursday afternoon, confirming the attack to be ransomware and detailing the processes the municipality has taken to contain the incident.

 advertisement

 

Digitally translated from Italian to English, the press release confirmed that the attack affected the “entire telematic infrastructure” of Palermo’s data centre, “including all the workstations distributed at the offices of the municipal administration of Palermo connected to it”, leading to a total interruption of services.


Palermo is attempting to restore its systems from backups, the press release indicated, though some of its backups were corrupted in the attack. It said its Veeam server was unavailable, as was its VMware infrastructure. It is now relying on other backups from its Arcserve recovery solution and the remaining accessible data from its Oracle database and NetApp storage.


Palermo’s recovery process will involve preparing a private network, closed off only to a small number of verified workstations. It will then attempt to re-install basic infrastructure and then attempt to restore workstations before re-adding them to the network.


The municipality also confirmed that it notified the relevant data protection authorities within three days of the attack, per GDPR’s legal requirements.


It made no indication that it was prepared to pay the ransom demands, a currently unknown sum, from Vice Society.


A number of the city’s websites are unreachable, at the time of writing, including the city’s official website and SISPI, the IT service management system of Palermo.


Palermo confirmed the attack hours after the initial breach on 2 June and many of the municipality’s IT systems were shut down and isolated from its network as a result, Paolo Camassa, deputy mayor of Palermo, said via Facebook.


“Activities are underway to evaluate the nature and consequences of the accident. Services are currently unavailable and there may be any inconvenience in the next few days for which we apologise in advance,” his statement read, translated digitally.


“The SISPI has already set up a technical team to manage the event and the necessary measures have been put in place to remedy possible violations of personal data and communication is being provided to the competent authorities.”

Italy under siege

When the cyber attack was first discovered, the nature of it was unclear. Initial speculation from outsiders was that it was conducted by the pro-Russia Killnet hacking collective which ‘declared war’ on Italy, and nine other countries, mere days before the ransomware attack.


Killnet mounted an offensive against Italy after the country’s Computer Security Incident Response Team (CSIRT) thwarted the hackers’ attempted attack on the Eurovision Song Contest’s voting systems – an unsuccessful bid to stop Ukraine from winning.


The threat of distributed denial of service (DDoS) attacks launched by Killnet on Italian organisations prompted the country’s CSIRT to issue a warning to all public and private sector organisations of impending attacks.


Those thought to be at particular risk were government departments, utility companies, and any business with a brand identity linked to Italy.

A change in tack from ransomware gangs?

Since the infamous ransomware attack on Colonial Pipeline that brought the east coast of the US to its knees last year, ransomware gangs were thought to be adjusting their targeting models to avoid atatcking the largest organisations and drawing serious attention from law enforcement.


The thnking was re-iterated earlier this year in a joint advisory published by the UK’s National Cyber Security Centre (NCSC) and the US’ Federal Bureau of Investigation (FBI).


The Colonial Pipeline incident prompted the Biden administration to start treating ransomware attacks in much the same way as terrorist attacks.


There have not yet been any ransomware cases that have led to the prosecution of anyone under terrorism laws, but the threat was thought to be enough to stop attacks on targets as significant and large as the likes of Palermo and also recently, Costa Rica.


The attack on Palermo, following the double ransomware attack on Costa Rica, raises questions about the motives of ransomware actors and whether they are once again attempting to target larger organisations, and in recent cases entire countries.


Vice Society’s attack could simply be an extension of its well-documented modus operandi – to hack organisations after exploiting known, unpatched security vulnerabilities.


“While there hasn’t been a lot of information released about the attack to date – only that all key systems have been taken down while the incident response activities are ongoing – the gang are known for exploiting recognised vulnerabilities within systems, but this is quite common among ransomware gangs,” said Cliff Martin, head of cyber incident response at GRC International Group, speaking to IT Pro.


“There are many ransomware gangs around so I wouldn’t suggest that all gangs have the same approach when it comes to who they target and how they achieve their objectives,” he added. “It is likely that the gang came across the vulnerable systems and took advantage of the opportunity. Sites like Shodan index internet-facing systems and provide attackers with information they can use to target certain systems/organisations.”


Cisco Talos security researchers noted last year that Vice Society was using the vulnerabilities in Windows’ print spooler service, known as the PrintNightmare flaw, in ransomware operations.


The same researchers also noted that it has a history of targeting public institutions, namely in the education sector.


Vice Society’s blog currently shows the De Montfort School and St Paul’s Catholic College as two of its most recent victims, both in the education sector and based in Worcestershire and Surrey respectively.


© Dennis Publishing

Read More: cyber crime cyber security Palermo ransomware security