On the night between Saturday and Sunday a massive ransomware attack paralysed the Lazio Region’s website and its vaccination booking system. An unknown, transnational syndicate of cybercriminals exploited unwarranted access to infiltrate an IT system containing the sensitive data of 5.8 million Italian citizens.
As Italian.Tech reports, that access belonged to a “major Italian IT organisation,” an external actor used by several health companies to outsource their digital health services. If this proves true, the event would have to be classified as a supply chain attack, hitting several companies through a common IT provider, as it happened in the case of the SolarWinds and Kaseya hacks.
The data was not lost thanks to frequent backing up, but the virus reactivates every time that engineers fire up the infected machines, investigative sources told Decode39. Authorities are still struggling to fully restore the services, and were forced to resort to pen and paper to log vaccinations.
Speaking at a presser on Monday, regional governor Nicola Zingaretti assured that the citizens’ personal health information, along with the health service’s financial data, had not been compromised. He said that the “criminal, terrorist” attack, “probably the most serious to ever happen on our national territory,” impacted the online booking system but did not halt the region’s overall vaccination drive.
Among those whose data was imperilled are the President of the Republic Sergio Mattarella and Prime Minister Mario Draghi, both of whom got jabbed in Rome, as well as senior state officials, MPs, intelligence agencies employees and bankers, just to name a few.
Mr Zingaretti added that no official ransom request was directed at them, but he did specify that infected machines would display a contact link to get in touch with the perpetrators. Officials limited themselves to sending everything to the police cybercrime division, without engaging with said link. Still, the attack appears to be following the “classic” ransomware playbook, as that link most likely redirected to a payment request.
Regional officials also confirmed the attack came from abroad, possibly Germany (although that could well be due to traffic rerouting), and that investigations were ongoing. National health services had already been hacked in other European countries such as Belgium, France and Ireland.
Repubblica reported that the Italian government has asked the United States for help, as Washington has already been grappling with a few similar high-profile attacks at the expense of the Colonial Pipeline oil duct and the American branch of JBS, the world’s largest meat producer, in the past months.
Meanwhile, the Italian Parliament’s intelligence watchdog (COPASIR) summoned Interior Minister Luciana Lamorgese and head the Department of Information for Security (DIS), ambassador Elisabetta Belloni to discuss, among other things, the ongoing attack.
On Sunday the Italian infosphere filled up with speculations regarding the attack, with some believing that it had been masterminded by no-vax hardliners. That theory was dispelled by cybersecurity expert Stefano Mele, a lawyer at Gianni & Origoni. “This was a criminal attack with a purely economic intent,” he told Decode39, adding that such hacks against healthcare sectors have been increasing since last year.
“Today the public and private health sector are a privileged target for criminal organizations,” continued Mr Mele. “If we consider that the vaccination booking system was affected too on this occasion, we must realise […] the importance of securing these systems.” Especially given that 95% of the nation’s public administration servers are not secured, as Vittorio Colao, Minister for Technological Innovation and Digital Transition, often remarked.
Nunzia Ciardi, head of the cybercrime division of Italy’s State Police, recently explained to the Italian Lower Chamber that such ransomware attacks are a “double extortion”; not only do criminals scramble data and blackmail their target into decrypting it, they also threaten to publish it, which allows them to exert even more pressure on their victims.
Ms Ciardi added that the companies that end up denouncing ransomware blackmail are “only a part of the phenomenon” because many “tend to pay in order to avert” that double threat. “My advice is, never pay,” said Mr Mele. “When you agree to pay the ransom, you enter a ‘payer list.’ From that moment on the criminal organizations, or whoever on their behalf, will obviously aim to strike the same IT systems again so as to obtain new ransoms.”
