Police Arrest Two In Data Theft Cyberattack On Leonardo Defense Corp

Italian police have arrested two people allegedly for using malware to steal 10 GB of confidental data and military secrets from defense company Leonardo S.p.A.

Leonardo is one of the world’s largest defense contractors, with 30% of the company owned by the Italian Ministry of Economy and Finance. As a multi-national company, they are headquartered in Italy but have a large presence in the United Kingdom and the United States.

According to Italian media, police arrested one person for allegedly using USB keys to infect 94 workstations with a trojan named ‘cftmon.exe.’ This trojan was likely named after the legitimate Windows file located at C:\Windows\system32\ctfmon.exe to evade detection.

The malware is said to have been used for two years, between 2015 and 2017, to steal data and send it back to a command and control server at ‘fujinama.altervista.org.’

This C2 server has since been seized by the Polizia di Stato who has placed a seizure message on the website, as shown below.

The exfiltrated data included confidential accounting information, military secrets, and aircraft designs.

Also Read: Limiting Location Data Exposure: 8 Best Practices

“Overall, data for 10 gigabytes, that is about 100,000 files , concerning administrative-accounting management, the use of human resources, the procurement and distribution of capital goods, as well as the  design of civil aircraft components and military aircraft for the Italian and international market were exfiltrated . Also capture credentials for accessing personal information of Leonardo spa employees,”, Agi.it reports.

The head of Leonardo’s cyber-emergency team was also placed under house arrest for allegedly misrepresenting the scope of the attack and hindering the investigation.

The prosecutors state that Leonardo’s security systems did not detect the malware as it was designed by the employee and not previously seen by antivirus programs.

In response to this news, Leonardo issued a statement that they initiated the investigation after filing an official complaint with the courts.

“With regards to the current measures adopted by the Naples judiciary, Leonardo announces that the investigation comes from a complaint by the Company’s security that has been followed by others. The measures concern a former collaborator who is not an employee of Leonardo, and a non-executive employee of the Company.”

“The Company, which is obviously the injured party in this affair, has provided maximum cooperation since the beginning and will continue to do so to enable the investigators to clarify the incident, and for its own protection. Finally, it should be noted that classified or strategic data is processed in segregated areas, without connectivity, and not within the Pomigliano plant,” Leonardo said in a statement.

Also Read: 10 Practical Benefits of Managed IT Services

Update 12/5/2020: Updated article to contain the correct C2 server. Thanks James for the correction.