At two o'clock in the morning thousands of messages of insults and invitations to the resignation of Sergio Mattarella, the hashtag used "#MattarellaDimettiti ". The fear of Russian meddling on Italian affairs was already known during the political elections but the proven action of simultaneous attacks supports this thesis / information of Italian intelligence. The postal police, in the Mattarella affair, specified that behind this massive use of the social media “twitter” there may be experienced Russian operators specialized in “trolls”. Russian interference in national affairs has already been recorded during the presidential election campaign in the US, France and Germany. A very advanced and pervasive capability in the cyber world. In the United States, for example, it was discovered, with the help of the operating sections of Facebook and Twitter, that some "private" Russian agencies had invested hundreds of thousands of dollars in sponsorship campaigns through tens of thousands of "anomalous" accounts, or fake . It was discovered that all these "fake" accounts launched massively and overnight tens of thousands of "posts" with racial purposes and in any case favorable to the policies launched in the election campaign by Donald Trump.
What will happen to remedy
In Italy after the Copasir and the request for clarification that the various parliamentary groups will make to the government in office, it will also be up to the prosecutors of Rome to clarify the alleged web attacks by Russian trolls against the President of the Republic, Sergio Mattarella. In the first few days of next week, an investigation file will be formally launched which will be coordinated by the pool of judges dealing with counter-terrorism and in particular with crimes against state personalities. A first report from the postal police is expected in piazzale Clodio. The criminal profile with which to register the investigation file will be evaluated by the magistrates after the analysis of the information. In the meantime, Copasir will also deal with this matter, with the hearing of the director of Dis, Alessandro Pansa. The senator of the Democratic Party and a member of Copasir, Ernesto Magorno said, “it is obviously a very disturbing story which deserves all the necessary investigations. This story makes us even more aware of the fact that cybersecurity is a great issue on which to concentrate efforts and skills.
Is Italy therefore under cyber attack?
According to reports from AGI, based on what they discovered the researchers of Z-Lab, the anti-malware center of Cse Cybsec, an Italian cybersecurity company, it would seem to be able to answer yes. Italy would be the subject of an espionage and interference campaign by a Russian group.
CSE experts have in fact identified a backdoor on Italian networks, a 'back door', used to bypass the defenses of the systems under attack, identified as a new variant of the infamous X-Agent backdoor. Used to target Windows systems, the backdoor, part of the arsenal of APT28, a Russian paramilitary group, would allow data to be exfiltrated from compromised computers and sent to a Command and Control center located in Asia.
The evidence that leads to Russian hackers would be different: the language in which the virus that carries the backdoor is written, the destination of the traffic it generates, the type of threat, X-Agent, long in possession of APT 28, hacker group linked to Russian military intelligence.
The investigation by CSE and the Italian Navy
The CSE investigation, initiated by a routine investigation into a sample of malicious software sent to Virus Total, an online virus and malware analysis platform, allowed with the help of a researcher known on Twitter as Drunk Binary to compare it with a series of samples and report them to the authorities for further investigation, in a relationship accompanied by the so-called “Yara rules”, which are used to identify the ongoing action of any malware. But the experts also analyzed other malicious code, a DLL, a dynamic library of software, which is automatically loaded when a computer task is performed.
Seemingly unrelated to the previous examples, it bears many similarities to other cyber weapons owned by the Russian group. In this case the malware contacts a command and control server that bears the name "marina-info.net" which, says Pierluigi Paganini, chief technologist of CSE Cybsec, "If we adopt the logic of the attackers it would seem a reference to the Italian Navy and invites us to test the hypothesis that that malicious code was developed as part of a series of targeted attacks against the Navy or other entities associated with it, such as its suppliers. "
CSE Cybsec researchers have not been able to directly link the malicious DLL file to the X-Agent specimens, but believe they are both parts of a well-coordinated, APT28-powered surgical attack that Z-Lab has called "Operation Vacations. Romane ”because it could affect Italian organizations in the summer.
Indeed, the APT28 group has been active since 2007 and has targeted governments, armed forces and security organizations. But, above all, APT28 is one of the most famous hacker groups in the world for being involved in the theft of Hillary Clinton's emails that led James Comey's FBI to investigate it just before the US presidential election, paving the way for candidate Donald Trump. .
APT28, an acronym that stands for Advanced Persistent Threath number 28, takes its name from the technique used: an 'Advanced Persistent Threat' is a type of cyber threat that once installed on servers and systems remains there to carry out its monitoring and data exfiltration, generally for espionage purposes.
The well-organized and funded group - also known as Sofacy, Fancy Bear, Pawn Storm, Sednit and Stronzio - had been reported operating by Palo alto networks and Kaspersky Lab in Asia and the Middle East in recent months, giving the idea of having moved away from the usual targets of NATO and Ukraine. But based on the evidence found by the Z-Lab, perhaps this is no longer the case.