News from Italy
State IT Systems Breached: Suspect Arrested
The individual responsible for numerous breaches of the Ministry of Justice’s IT systems has been arrested. Since 2021, the man had been targeting government infrastructures using servers located across Europe. He is accused of repeatedly bypassing cybersecurity defenses of various databases, both institutional and otherwise. Among the targets of his attacks were Tim, Telespazio, and the Guardia di Finanza.
The investigation was led by the Naples Prosecutor’s Office, specializing in cybercrime, with the support of the National Anti-Mafia and Counter-Terrorism Directorate. The charges include aggravated unauthorized access and the dissemination of malware and software, allegedly in collaboration with unidentified accomplices.
Although the exact methods he used remain unknown, it is believed that phishing was his primary attack vector. Leaked information suggests the use of around 4,000 fake identities and accounts, as well as collaborations with internal actors.
Specifically regarding the attack on Tim, the suspect reportedly obtained login credentials illicitly from an employee within the company. It is unclear whether the employee was a victim of phishing or a deliberate accomplice.
Espionage and Unlawful Access to Confidential Information
A Milan-based company specializing in intelligence and cyber-intelligence allegedly made over 800,000 unauthorized accesses to the country’s strategic databases (SDI), according to the Milan Prosecutor’s Office. The operation relied on the expertise of a team of highly skilled hackers. The extracted information was reportedly sold to various entities in the business and political sectors in Italy.
The aim was to gather intelligence on bank accounts, criminal records, tax data, and health information to influence the activities of “rivals.”
International News
AI Model Vulnerabilities: Protect AI Finds Flaws in ChuanhuChatGPT, Lunary, and LocalAI
Huntr’s Protect AI platform has discovered several vulnerabilities in various artificial intelligence models, including ChuanhuChatGPT, Lunary, and LocalAI.
These flaws could allow attackers to gain unauthorized access or manipulate sensitive user data. Reported issues include weaknesses in security controls, potentially exposing personal data or allowing unauthorized content modifications.
In response, the companies responsible for the affected models have initiated actions to fix the vulnerabilities and strengthen data protection. These developments highlight the importance of continuous monitoring to prevent cybersecurity risks in AI systems.
Cyberattack on Free: Millions of Customer Records Stolen
French telecom provider Free, the second-largest in France with over 22.9 million subscribers and part of the Iliad Group, has fallen victim to a cyberattack. During the incident, hackers stole personal data of millions of Free Mobile and Freebox customers, including bank account numbers.
The stolen data is now being sold on the Dark Web. The company has stated it has implemented top-level security measures and has alerted its customers to the potential risks of phishing.
Regulatory Updates / Legal Briefs
NIS2 and Its Implications: New Regulation for a Safer European Cyberspace
With the introduction of the NIS2 Directive, the European Union is significantly strengthening its commitment to robust and coordinated cybersecurity across the continent. It establishes new standards for resilience and control for businesses and institutions.
Replacing the original 2016 NIS Directive, NIS2 aims to make the entire European cyberspace less vulnerable to increasingly sophisticated and frequent cyberattacks, through a preventive approach requiring the implementation of stringent measures.
One of NIS2’s key strengths is the expansion of its scope to cover numerous critical sectors, including not only essential service operators but also digital service providers and social media platforms. Companies will need to implement security measures ranging from risk management to mandatory reporting of cyber incidents within 24 hours.
The implications for businesses are significant: in addition to the introduction of hefty fines for non-compliance, NIS2 promotes greater cooperation among member states and mandates the adoption of flexible security frameworks aligned with European standards, including vulnerability assessments and crisis management. This marks a cultural shift, requiring companies to treat cybersecurity as a core element of their business strategy.
Digital Operational Resilience Act (DORA): A New Cybersecurity Standard for the EU Financial Sector
The Digital Operational Resilience Act (DORA), recently approved by the European Union, represents a crucial step in strengthening the cybersecurity framework for the financial sector. It provides institutions with a unified and clear structure for managing ICT risks.
The regulation applies to banks, insurance companies, investment funds, and many other financial entities. It requires them to develop robust systems to prevent, detect, and respond to cyber threats and disruptions.
DORA mandates that organizations establish detailed ICT risk management plans and adhere to minimum security standards to ensure operational continuity even during cyber incidents. One of its key requirements is the oversight of critical third-party ICT service providers—such as cloud providers—minimizing the risks associated with technological outsourcing. This means financial institutions must not only adopt internal security protocols but also monitor the security practices of their external partners.
Moreover, DORA introduces specific reporting obligations for cyber incidents, thereby enhancing transparency and enabling a rapid, coordinated response across Europe. With significant penalties for non-compliance, DORA is a strategic regulation designed to bolster digital resilience in the financial sector and reduce the risk of systemic disruptions.
Cyberattacks and Vulnerabilities
In October 2024, numerous cyber threats were detected in Italy, primarily targeting strategic sectors such as Public Administration, telecommunications, healthcare, transportation, universities and research, and the tech industry.
The attacks came in various forms, including unauthorized access attempts, ransomware, and theft of sensitive data, compromising the operations and security of several organizations.
Healthcare facilities and public administration systems were particularly exposed, with incidents revealing weaknesses in the protection of citizens’ data and essential services. In the telecom sector, threats aimed to destabilize network infrastructure, potentially impacting service continuity. Universities and research centers were also targeted, putting academic data and innovation projects at risk.
This wave of attacks underscores the need for stronger cybersecurity measures and greater institutional collaboration to prevent and mitigate the impact of digital threats on critical sectors.
Attack Methods
Phishing
Phishing is a cyberattack that aims to steal sensitive data (such as usernames, passwords, credit card numbers, PINs) by sending fraudulent emails to a large number of recipients. These emails are designed to persuade recipients to open an attachment or visit counterfeit websites. The attacker uses the stolen information to make purchases, transfer funds, or as a base for further attacks.
Two notable subtypes include:
-
Spear Phishing: a targeted attack on specific individuals, typically involving an email from a sender that appears familiar to the victim, designed to extract sensitive information. Spear phishing is distinguished from general phishing by using social media and behavioral analysis to craft convincing messages.
-
Smishing: a newer term, also recognized by the privacy authority. The goals are the same as phishing, but the method involves fraudulent text messages that urge recipients to take action (e.g., click a link) or provide information urgently to avoid consequences like service or account suspension.
Phishing attacks have evolved, leveraging advanced technologies such as AI-generated deepfakes to impersonate trusted executives. This allows attackers easy access to corporate networks and sensitive data. Often, phishing is just the initial phase, paving the way for ransomware infections by spreading malware within compromised systems.
Ransomware
Ransomware is a type of malware that prevents access to files on a victim’s computer, usually by encrypting them, and demands a ransom for decryption. It often spreads via malicious or compromised websites or emails. These emails typically include seemingly harmless attachments like .pdf files from seemingly legitimate sources (such as public or private institutions). This perceived legitimacy leads users to open the attachments, which frequently reference invoices, bills, or payment requests.
As mentioned earlier, phishing is one of the main techniques used to distribute ransomware. In recent months, several companies—such as Avio, Sforza e Navarra, and Marzano—have been targeted. In Italy, the most active group has been Sarcoma, carrying out three successful attacks, including one against Auxit Srl.
Denial of Service (DoS)
A cyberattack aimed at making a system unavailable by exhausting its network, processing, or memory resources. When the attack originates from multiple devices simultaneously, all targeting a single system, it is referred to as a Distributed Denial of Service (DDoS).
In such cases, the primary tools used are botnets—networks of infected computers (bots or zombies) controlled remotely by an attacker (botmaster), often without the users’ knowledge.
DDoS attacks have been particularly intense and, in some cases, politically motivated. Groups such as Killnet have attempted to overload networks, causing major service disruptions. The goal was often to destabilize infrastructure and create significant disruption. Killnet reportedly collaborated with Anonymous Sudan (individuals identified as Ahmed Salah Yousif Omer and Alaa Salah Yusuuf Omer) in executing severe cyberattacks against Israel during the Hamas terrorist attack on October 7.
Moreover, this month a federal grand jury indictment from the California Court was declassified, revealing that these individuals had repeatedly targeted several U.S. infrastructures.
