PARIS --- Using malware unknown to the company’s anti-virus programs, and propagated using USB drives, a hacker gained access to 99 computers at facilities of Italian aerospace and defense group Leonardo and stole over 100 gigabytes of data between May 2015 and January 2017, according to an Italian police statement issued on Saturday.
The intrusion was eventually detected by Leonardo, who then alerted the police, and investigations led to the arrest last week of two individuals -- one former and one current Leonardo employees.
It is not clear exactly where the hacking took place. According to Italian media reports 33 of the 94 infected workstations were located at the Leonardo’s Pomigliano d’Arco plant, near Naples, which is part of the company’s Airplane Division. No information has been released as to the location of the 61 other workstations.
The arrests “are a blow for Leonardo which, along with its aerospace activities, also has a large cybersecurity division that counts NATO among its customers,” Reuters reported from Rome on Dec. 5. It added that the hack extracted “classified information of significant value to the company.”
The specifics of the attack are likely to prove even more embarrassing, as it took the company almost two years to notice the hacking, which was initially written off as insignificant according to Leonardo's first complaint. However, the subsequent investigations have reconstructed a “much more extensive and severe scenario,” according to the Italian StartMag.it website. Italian police have described it as “extremely serious,” although Leonardo has downplayed its significance.
It now appears that, over nearly two years, the malware silently exfiltrated classified and valuable corporate data, and updated it continuously by automatically executing each time a workstation was started.
StartMag also reported that Leonardo's cyber security team in January 2017 reported anomalous outgoing traffic from some workstations of the Pomigliano d’Arco plant, generated by a code called "cftmon.exe." The anomalous traffic was directed towards a web page called “www.fujinama.altervista.org”, which was seized on Saturday in parallel with the arrests. (see image at top)
The hacker, according to the Adn Kronos news agency, was not identified by the company but by the working group on cybercrime of the Naples Prosecutor's Office, whose investigations culminated in Friday’s arrests.
According to the police, the hacker was a Leonardo employee, although the company said (see item below) he was a “former collaborator, who is not an employee.” His accomplice, who was placed under house arrest, is the head of Leonardo’s own Cyber Emergency Readiness Team (CERT), which was set to protect the company from hacking attacks; he is charged with “meddling with evidence to throw the investigations off track, the prosecutors said,” according to a Dec. 5 Reuters report.
Both the hacker and his alleged accomplice have been identified and named by Italian media.