Author: Gaetano Pellegrino
TLP: WHITE
On 1 August 2021, the COVID-19 Crisis Unit for the Lazio region of Italy, which includes Rome, announced that a powerful cyber attack was targeting the regional data center, known as Centro di Elaborazione Dati (CED).1 The attack started after 00:00 CEST and lasted until at least 14:00 CEST. The attack forced the Italian authorities to shut down the CED, which is hosting, among other services, the portal where all Lazio residents register for vaccination. According to Alessio D’Amato, the head of the Regional Health Service of Lazio, the attack has not stopped vaccinations but will probably slow them down because registrations have been suspended. The authorities also shut down the Centro Unico di Prenotazione (CUP): the platform where all Lazio residents book medical examinations.
Very little information has been shared about the attack, which Nicola Zingaretti, the region’s president, has defined as probably the most dangerous in the Italian Republic’s history. Polizia Postale, the Italian police unit that specializes in cybercrime, is investigating the attack and will deliver an initial report to the authorities. What is known from public sources is that the attackers encrypted CED files after delivering ransomware. Nunzia Ciardi, the head of the Polizia Postale, stated that at the moment, there was no evidence of data exfiltration.2 Whatever their demands might be, declared Zingaretti, the Lazio Region would not negotiate with the attackers.
Initially, because Italy has been experiencing anti-vaccination protests over the last several days, the authorities suspected that anti-vaccination activists were behind the attack.3 However, the current lack of evidence of social engineering or phishing activities means that the attack could have come from a state-sponsored actor or an insider threat.4
In the last several hours, an unconfirmed report5 has asserted that the attack on the CED started from a specific computer there that had been compromised during a successful June attack against a large Italian IT provider for the health sector. The attackers reportedly leveraged administrative credentials obtained in that earlier attack to deploy a ransomware that the report authors currently assess to be LockBit 2.0.
As other countries, Italy is pushing hard to vaccinate most of its population and thus reach herd immunity against COVID-19. In Italy, the administration of each region is responsible for managing the logistics of vaccinating the region’s population. Because the attack has been perpetrated against one of the most densely populated regions, it has already harmed the vaccination process.
This CTA will be updated as further details are released. In addition, we will update our Threat Intelligence Data Exchange (TIDE) with indicators of attack (IOCs) once they become available and we confirm them.
3https://tg24.sky.it/roma/2021/08/01/unita-crisi-lazio-attacco-hacker
4https://tg24.sky.it/roma/2021/08/02/vaccini-lazio-attacco-hacker
