One cyber attack paralyzes Trenitalia and immediately cries out for cyber warfare: throughout yesterday morning, a succession of patched-up information attributes the sudden blocking of ticketing in railway stations to a group of Russian hackers.
Technique and modus operandi seem proper to gang del ransomware that hit servers and computers with software capable of locking them up until a ransom is paid.
The fear is that this is it the great attack scheduled for March 6 in a confidential communication from the Cybersecurity Agency later leaked to the press, and which perhaps did not occur precisely because of the alarm then published in the newspapers, but which should have had the effect of raising the defenses also within Trenitalia.
The reason for this fear, however, was obvious; just the day before the attack, Ukrainian Prime Minister Zelensky’s speech to Parliament had received a standing ovation e obtained the commitment of Prime Minister Draghi to stand alongside the country invaded by Putin, which we know can also make use of efficient cyber attackers.
Agency news that they cited “qualified sources” of the security apparatuses they had reinforced this fear together with the delay of the Ferrovie group in clarifying the incident immediately, limiting itself to informing that “elements have been found that could lead to phenomena linked to a cryptolocker infection”.
The case
From Russia and then against Russia: Telegram’s role in the war in Ukraine
by Emanuele Capone
Who is (really) behind the attack
In reality it is likely that the Railways already knew everything, even the name of the group and its linguistic-geographical belonging: from the information collected during the day, it was gradually ascertained by analysts that the attacker was the Russian-speaking Hive group, with both Russian and Bulgarian members and affiliates.
The group is known for attacks on Media market in Holland and Germany, MediaWorld in Italy and to the Indonesian Foreign Ministry, the British Columbia Institute of Technology, the newspaper Metro in the US, other European and international logistics companies, even an ASL of Veneto. A group so bold as to link Twitter and Facebook on its site on Tor to allow anyone to post the news of the companies they blackmail on the most popular social networks and thus increase the pressure against them.
The Hive Group, like Conti, Lockbit2.0, Ransomeex and various othersis an expert in the violation of industrial assets, IT databases, data transport networks and works, as if it were a legitimate company, with IT consultants, customer agents and communicators, recruited according to the logic of Ransomware as a Servicei.e. rented ransomware, whereby a small crew of developers writes and refines the data encryption code and passes it on to less experienced criminals who conduct the actual attack in exchange for a percentage of the profits.
In short, a criminal group motivated by money e not ideologically deployed, without any desire to do the cyberwarfare in Italy but with the unfortunately usual digital extortion colored this time with folklore and improvisation. In fact, it seems that the channel for confidential negotiation is due to someone’s mistake or naivety leaked on Twich and then bounced on some Telegram groupsbringing those who were not authorized to mimic the deals inside, provoking the digital robbers and offering them only one euro as a ransom.
The digital war
The secret US mission to strengthen Ukraine’s cyber defenses
by Carlo Lavalle
How much money do hackers want
A ransom that instead would amount to 5 million dollars to be paid within 3 days, usual timing for the group, under penalty of doubling the amount to be paid, reaching up to 10 million dollars in Bitcoin. A fact, this, commented in various groups of ethical hackers and reported by an Italian cyber-news site, Redhotcyber.
The National Police Cybercrime Center is investigatingthe National Cybersecurity Agency intervened to limit the damage, and there is already a folder open at the Rome Public Prosecutor’s Office, but since it is the ticketing it is not unlikely that the criminals have come into possession of the personal data of Trenitalia travelers, in which case the company will have to notify the Italian Privacy Guarantor of the incident with the risk of a hefty fine, in addition to mockery and the request of journalists to communicate a crisis of this type in a more precise, timely and effective way. Especially not to leave room for dangerous allegations, even more serious in times of war.