Author: Gaetano Pellegrino
On 1 August, the regional data center of Lazio, the Italian region that includes Rome, was targeted by a cyber attack. The data center, known as Centro di Elaborazione Dati (CED), hosts several critical services: the portal where Lazio residents register for vaccination, and the portal where Lazio residents book medical examinations. Italian authorities had to shut down CED, and this slowed down the vaccination process. We have been monitoring this attack since its first days1 and are releasing this CTA to address the latest information.
As of 20 August, investigations are still in progress and very little information has been shared about the attack. What is certain is that after delivering a ransomware, the attackers encrypted most of the CED files. Knowing the exact type of ransomware could help the investigators find the threat actors responsible for the attack. That is why the FBI and Interpol have joined forces with the Polizia Postale, the Italian police unit that specializes in cybercrime, to look for possible correlations between the ransomware used in the CED attack and the ransomware used in recent similar attacks against industrial targets and institutions around the world.2
Several hypotheses are being tested at this time:
- The first hypothesis concerns Lockbit 2.0, which operates as ransom-as-a-service: an arrangement where affiliates pay a fee to use the ransomware and the exfiltration infrastructure that comes with it. This hypothesis is based on an incident that compromised Engineering: an Italian Managed Services Provider (MSP) active in the health sector.3 After that incident, Lockbit 2.0 targeted at least three clients of the MSP,4 and the Lazio region was supposed to be the fourth victim.
- The second hypothesis concerns the RansomExx group and was formulated a few days after the CED attack was disclosed. RamsomExx is a criminal group known for using ransomware to attack high-profile institutions, such as Brazil’s Superior Court of Justice5 and the Texas Department of Transportation.6 This hypothesis originates from the revelations that some undisclosed sources made on a well-known cybersecurity news website.7
Several speculations have been made about the attackers’ motives. At the time of the attack, Italy was in the midst of anti-vaccination protests, so the anti-vaccination activists were among the first suspects. Today, the investigators believe that the attackers seek financial gain, although this is not well-supported by currently available evidence: the attackers made a ransom demand but did not phrase it in explicit terms. Regardless, president Nicola Zingaretti made the region’s position clear immediately, by stating that the region would not negotiate with the attackers.
Also of interest is how the attackers gained a foothold in the CED network. The initial lack of evidence of social engineering, together with the widely supported hypothesis of an MSP compromise, led some observers to speculate that the attackers were using the credentials of a consultant working as a network administrator for CED. Later, the investigators discovered that the attack originated from the laptop of a CED employee working remotely due to the pandemic. The attackers obtained the employee’s credentials and controlled his laptop during the initial stages of the attack. They had sufficient time to deliver the attack, because the laptop stayed on for the entire night between 31 July and 1 August – the employee’s son reportedly forgot to turn off the laptop after using it.8
One other important aspect of this case concerns the backup system in place at CED. A few hours after the authorities informed the public about the attack, Alessio D’Amato, head of the Regional Health Service of Lazio, confirmed that the backup files were among the files subjected to ransomware encryption.9 However, on 5 August, the incident responders were able to recover the data up to 30 July, because the attackers did not encrypt a backup stored on a virtual tape library.10
This CTA will be updated as further details are released. In addition, we will update our Threat Intelligence Data Exchange (TIDE) with indicators of attack (IOCs) once they become available and we confirm them.