Italian police arrest suspects in Leonardo military, defense data theft

A former employee and collaborator are accused of siphoning off sensitive information for almost two years.

Hackers are sharing data, but companies should too

Italian police have arrested a former employee of Leonardo SpA and another individual in connection to the theft of sensitive corporate and military information.

SEE: Meet the hackers who earn millions for saving the web, one bug at a time (cover story PDF) (TechRepublic)

The Naples Public Prosecutor's Office said on November 5 that an ongoing cyberattack was maintained against the Aerostructures and Aircraft Division of Leonardo SpA, one of the largest defense contractors worldwide.

Headquartered in Rome, Italy, the company accounts for over 49,000 employees and maintains a presence in its home location, the UK, US, and Poland across the aerospace, military, and security sectors. 

See also: Working from home causes surge in security breaches, staff 'oblivious' to best practices

Last week, Italian law enforcement said the pair -- one of which was an IT manager for Leonardo -- were arrested for allegedly compromising the corporation's network by executing malware able to quietly exfiltrate sensitive data. 

According to the Naples office, the duo deployed malware dubbed cftmon.exe on 94 workstations, of which 33 were located at the company plant in Pomigliano D'Arco. The malware, described as a Trojan variant, was loaded through USB sticks plugged into the workstations and remained undetected from roughly May 2015 to January 2017. 

In 2017, Leonardo's cybersecurity team detected anomalous network traffic originating from these workstations which were directed to a command-and-control (C2) server, fujinama.altervista.org. The web domain has since been seized by Italian police. 

screenshot-2020-12-07-at-10-44-26.png

The malware was able to silently exfiltrate classified and valuable corporate data, including military information, and maintained persistence by automatically executing on each workstation at startup.

CNET: Your Amazon Echo will get Sidewalk soon if it hasn't yet. Here's why it matters

Originally, the defense contractor believed that the data exfiltration was a small and rather insignificant incident, but Italian law enforcement says a subsequent investigation revealed a "much more extensive and severe scenario."

Reconstructions of the incident performed by the police suggest that up to 10GB of data -- or 100,000 files -- was stolen during the campaign relating to security and defense strategy, HR, product distribution, and component design for civil and military aircraft, as well as employee credentials.

Italian prosecutors have accused the pair of "abusive access to computer systems, unlawful interception of electronic communications, and [the] unlawful processing of personal data."

TechRepublic: Most used passwords for 2020: The internet's favorite curse word, name, food, and team

The head of Leonardo's cybersecurity team has also been placed under house arrest for allegedly misleading and hindering investigative efforts concerning the cyberattack. 

In a statement, Leonardo said that the arrests relate to an individual who is not an employee of the company, as well as a "non-executive" former member of staff. 

"The company, which is obviously the injured party in this affair, has provided maximum cooperation since the beginning and will continue to do so to enable the investigators to clarify the incident, and for its own protection," Leonardo added.

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0