Following the complex investigation activities of the Working Group on Cybercrime of the Naples Public Prosecutor's Office, aimed at defining the contours of a serious attack on the IT structures of the Aerostructures Division and the Aircraft Division of Leonardo SpA, the CNAIPIC of the Central Service of the Postal and Communications Police and the Campania Compartment of the same service two ordinances applying precautionary measures against a ex employee and an employee of the aforementioned company, the first being seriously suspected of the crimes of unauthorized access to the computer system, unlawful interception of electronic communications and unlawful processing of personal data (respectively provided for by articles 615-ter, paragraphs 1, 2 and 3, 617c, paragraphs 1 and 4, cp, and 167 of legislative decree 196/2003, in relation to art. 43 of Legislative Decree 51/2018) and, the second, of the misdirection crime (Article 375, paragraph 1, letters a and b, and 2, of the Italian Penal Code).
So the Leonardo company, in a note, commented on what happened: "With regard to the current measures adopted by the Naples judiciary, Leonardo announces that the investigation originated from a complaint presented by the same company security which was then followed by others. The measures concern a former collaborator not employed by Leonardo e a non-executive employee of the company. The Company, obviously the injured party in this affair, has provided from the beginning and will continue to provide the maximum cooperation to investigators to clarify the incident and to protect itself. Finally, it should be noted that classified or strategic data is processed in segregated areas and therefore without connectivity and in any case not present in the Pomigliano site."
In January 2017 the structure of cyber security di Leonardo SpA had reported anomalous network traffic, outgoing from some workstations of the plant in Pomigliano D'Arco, generated by a artifact named "Cftmon.exe", unknown to corporate antivirus systems.
The anomalous traffic was headed to a page websites called "www.fujinama.altervista.org", of which the preventive seizure has been requested and ordered, and today carried out.
According to the first complaint by Leonardo SpA, the IT anomaly was limited to a small number of workstations and characterized by an exfiltration of data deemed not significant. Subsequent investigations have reconstructed a much more extensive and severe scenario.
The investigations showed that, for almost two years (between May 2015 and January 2017), the IT structures of Leonardo SpA had been hit by a targeted and persistent cyber attack (known as Advanced Persistent Threat o APT), since it is created with the installation in the target systems, networks and machines of a malicious code aimed at creating and maintaining active communication channels suitable for allowing the silent exfiltration of significant quantities of data.
In particular, at the state of the acquisitions, it appears that this serious cyber attack was carried out by an IT security manager of Leonardo SpA itself, against whom the GIP of the Court of Naples ordered the measure of precautionary custody in prison.
In fact, it emerged that the malevolent - created for illicit purposes of which the complete reconstruction is in progress - it behaved like a real one trojan newly engineered, inoculated by inserting USB sticks into the spied on PCs, thus able to start automatically each time the operating system is run. It was therefore possible for thehacker intercept what was typed on the keyboard of the infected stations and capture the frames of what was displayed on the screens (screen.capturing). Company data of the Pomigliano D'Arco plant of Leonardo Spa were thus in fact in full control of the attacker, who, thanks to his own company duties, was over time able to install more evolutionary versions of the malware, with increasingly invasive and penetrating capabilities and effects. Finally, the investigations made it possible to reconstruct the activity of antiforensic attacker, who by connecting to the C&C (command and control center) of the site websites "fujinama”, After downloading the stolen data, he remotely deleted all traces on the compromised machines. According to the reconstruction carried out by the Communications Police, the computer attack thus carried out is classified as extremely serious, as the surface of the attack affected 94 workstations, of which 33 located at the Pomigliano D'Arco company plant . On these stations, writes the press release, multiple user profiles were configured in use by employees, even with managerial duties, engaged in business activities aimed at producing goods and services of a strategic nature for the security and defense of the country. The severity of the accident also emerges from the type of information stolen, taking into account that from the 33 target machines located in Pomigliano d'Arco, at present, 10 Giga of data, equal to about 100.000, have been exfiltrated files, relating to the administrative / accounting management, the use of human resources, the procurement and distribution of capital goods, as well as the design of components for civil aircraft and military aircraft for the domestic and international market. In addition to company data, the access credentials and other personal information of Leonardo employees were also collected. In addition to the computer stations of the Pomigliano D'Arco plant, 13 stations of a company of the group were infected Alcatel to which 48 others have been added, in use by private individuals as well as companies operating in the aerospace production sector. Alongside the IT investigations, the more traditional investigative activities were fundamental, which also made it possible to reconstruct the "cybercriminal" training path of the suspect identified as the material perpetrator of the attack, currently employed at another company operating in the computer electronics sector.
Further investigations made it possible to collect also convergent evidence of guilt regarding the commission of the crime of misdirection by the CERT manager (Cyber Emergency Readiness Team) of Leonardo spa, a body responsible for managing the IT attacks suffered by the company.
The precautionary measure of home custody was applied to the latter, resulting in serious indications of guilt with reference to insidious and repeated evidential pollution activities, aimed at giving a false and misleading representation of the nature and effects of the cyber attack and to obstruct investigations.