Italian police arrest suspects in Leonardo military, defense data theft
Italian police have arrested a former employee of Leonardo SpA and another individual in connection to the theft of sensitive corporate and military information.
The Naples Public Prosecutor’s Office said on November 5 that an ongoing cyberattack was maintained against the Aerostructures and Aircraft Division of Leonardo SpA, one of the largest defense contractors worldwide.
Headquartered in Rome, Italy, the company accounts for over 49,000 employees and maintains a presence in its home location, the UK, US, and Poland across the aerospace, military, and security sectors.
Last week, Italian law enforcement said the pair — one of which was an IT manager for Leonardo — were arrested for allegedly compromising the corporation’s network by executing malware able to quietly exfiltrate sensitive data.
According to the Naples office, the duo deployed malware dubbed cftmon.exe on 94 workstations, of which 33 were located at the company plant in Pomigliano D’Arco. The malware, described as a Trojan variant, was loaded through USB sticks plugged into the workstations and remained undetected from roughly May 2015 to January 2017.
In 2017, Leonardo’s cybersecurity team detected anomalous network traffic originating from these workstations which were directed to a command-and-control (C2) server, fujinama.altervista.org. The web domain has since been seized by Italian police.
The malware was able to silently exfiltrate classified and valuable corporate data, including military information, and maintained persistence by automatically executing on each workstation at startup.
Originally, the defense contractor believed that the data exfiltration was a small and rather insignificant incident, but Italian law enforcement says a subsequent investigation revealed a “much more extensive and severe scenario.”
Reconstructions of the incident performed by the police suggest that up to 10GB of data — or 100,000 files — was stolen during the campaign relating to security and defense strategy, HR, product distribution, and component design for civil and military aircraft, as well as employee credentials.
Italian prosecutors have accused the pair of “abusive access to computer systems, unlawful interception of electronic communications, and [the] unlawful processing of personal data.”
The head of Leonardo’s cybersecurity team has also been placed under house arrest for allegedly misleading and hindering investigative efforts concerning the cyberattack.
In a statement, Leonardo said that the arrests relate to an individual who is not an employee of the company, as well as a “non-executive” former member of staff.
“The company, which is obviously the injured party in this affair, has provided maximum cooperation since the beginning and will continue to do so to enable the investigators to clarify the incident, and for its own protection,” Leonardo added.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0