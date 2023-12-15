Listen to the audio version of the article

A hacker attack launched before dawn on December 8th put the provision of services by the public administration in crisis. A very well-organized, but as yet unnamed, group of cybercriminals has targeted Westpole, a company that provides certified cloud infrastructure to support the activities of municipalities and other government bodies. This action led to the blocking of all the servers of the Milan and Rome offices and the stop of the connected services.

The servers that manage the digital services of hundreds of public entities were affected

So far it might seem like an attack like many others, but among Westpole’s customers there is PA Digitale, the company that produces the URBI software, a platform of management application solutions for the Public Administration which is used by hundreds of municipal, provincial and power plants, local public companies, utilities, public service managers, public residential building authorities, national and regional parks and so on. Through Urbi, registry services, tax collection, certificate issuing are managed… all operations that have become impossible in hundreds of electronic branches.

Slow and incomplete communication with the public



For four days the Westpole website remained blocked on a page announcing maintenance work, while their telephone switchboard was unreachable in the Milan and Rome offices. We tried to ask for more information via email, but have not yet received a response. At 7.00 pm on December 12th the first public information appeared in which the Westpole Italia team informed of the interruption of services caused by a security incident, reassuring users that at the moment there are no indications of a possible data theft. The affected company, understandably engaged in the work of restoring services, has however communicated more widely with its customers and from a statement released by PA Digitale to comply with the legal obligations of the GDPR we learn that the attack has actually encrypted the files of over 1500 (virtual) machines and that the attack was carried out by an unidentified hostile operator.

This time the goal wasn’t data

The criminals’ action seems to have been focused on the servers since Westpole declared that “for all services that involved the use of a NAS-type repository component, the data does not appear to have been compromised, and, at the current state of the analysis , there are no accesses by the compromised user or other suspicious users”. According to what Westpole declared to PA Digitale, the taking of its systems offline, adopted as the first containment action, was a precautionary measure and the necessary additional security measures are being put in place to ensure a reliable resumption of operations, closing any flaws that led to the compromise of the past few days. PA Digitale does not know, at the time of release of the document, whether any data may have been lost due to the attack and remained irremediably encrypted and it seems that the IT violation has in any case remained limited to the Westpole’s infrastructure, without affecting that of its customers.

Ultimately: a devastating attack with implications still to be clarified

The attack on Westpole, therefore, appears to be of a DOS type, i.e. aimed at blocking its operations in order to ask for a ransom in exchange for the codes necessary to decipher the affected files and allow operations to return. The scope of this action is undoubtedly important and for this reason it is possible that the criminals did not steal the data in Westpole’s possession or simply exfiltrated a very limited amount of it. Since there are approximately 1,500 machines involved, stealing the data would have involved a very long transfer time, with the possibility for the criminals to be discovered during the operation. This is good news, which needs to be verified, but which does not change the severity of the situation. One of the essential characteristics required of modern companies is business resilience, i.e. the ability to continue operating (albeit at a reduced pace) even in the presence of catastrophic events such as a cyber attack of this type. Instead, services to the public administration and citizens remained blocked for many days. In these hours we should gradually return to normality, but even if 5 days have now passed, a precise date for full restoration has not yet been communicated. It is not easy to keep up with the most aggressive groups of cyber criminals: they have considerable means, high level techniques and such an organization that makes their attacks very difficult to stop. But even when an attack is successful, the internal organization of critical companies like Westpole must be able to contain the damage and guarantee a return to full operations in a short and certain time.