Spies, Criminals And Hacktivists: The Cybernetic Threat In The Annual Report Of Italian Secret Services

In 7 months, the Italian Csirt handled 3,500 serious cyber incidents. The attackers took advantage of the pandemic and the economic juncture to target banks, telecommunications, industries and health centers. But Italy is better prepared than you think

by Arturo Di Corinto

Arturo Di Corinto
Mar 2 · 6 min read
Grande Rosso — ALberto Burri, Città di Castello 1915, NIzza, 1995

Hackers hit hardest during the pandemic. And they did so above all to the detriment of the PA, banks and telecommunications. This is the first fact that catches the eye when reading the report of our secret services on the cyber threats that loom over Italy.

The report, produced by DIS (Intelligence System for the Security of the Republic ), Aise (ExternalIntelligence and Security Agency) and Aisi (Internal Intelligence and Security Agency) for the Italian Parliament, obviously does not speak only of this, but provides a fairly detailed examination of the dangers represented by organized crime, jihadist terrorism, illegal immigration, extremists and subversive right and left. with the whole picture of threats to the national economy, including regional crises.

THE NUMBERS OF THE THREAT
But let’s focus on the cyber threat that has an entire attachment to this dedicated: the National Security Document 2020.
Here we read that in 7 months the Italian Csirt (Computer Security Incident Response Team) received 25,845 reports, managed 3,558 computer incidents, 117 critical, and 273 serious vulnerabilities. An average of 17 accidents per day. To understand the extent of the problem we must think that every day seventeen companies, organizations, “relevant” public entities that voluntarily notified the news of the attack, were prepared and helped to contain and minimize the incident.

It is not clarified in the report, but from qualified sources we learn that a few dozen of these would have come to the attention of the Cyber ​​Security Nucleus going up the hierarchical chain up to the Prime Minister. These are realities that provide essential and strategic services to the country, which affect a large number of users, and which are the basis of the normal daily activities of many Italians: transport, communication, health, work, business. Numerically they may seem few — when compared to the numbers of the cyber pandemic to which the reports of cybersecurity companies have accustomed us — but they are numbers that no one had officially provided before in a report by the Services. And who knows what will happen when reporting becomes mandatory under the Cyber ​​Security Perimeter law.

SPIES, CRIMINALS AND HACKTIVISTS
The report highlights how a series of actors “exploited, in the pandemic period, the massive use of agile work and the consequent accessibility from the Internet of digital resources of Ministries, companies with strategic roles and critical infrastructures”, making them the target of state-based campaigns , criminal or hacktivist.

Among the privileged targets there were several “Dicasteries and other State Administrations, against which there was an intense campaign for the spread of malware”.

The analysis of these cyber attacks relevant to national security collected by Intelligence revealed a general increase in attacks (+ 20%), which mostly concerned the IT systems of public entities (83%, an increase of 10 percentage points compared to 2019) in particular the local administrations (48%, a value up by more than 30 percentage points compared to the previous year), together with the Ministries holding critical functions (+ 2% in the comparison year on year).

On the other hand, the hostile digital actions perpetrated against private subjects mainly affected the banking sector (11%, up by 4 percentage points compared to 2019), the pharmaceutical / health sector (7%, more than last year) and services. IT (11%, almost stable figure).
Conversely, a reduction (-7%) was recorded in the number of “state-based digital projections” read “state hackers”, against a similar increase in episodes with an unidentifiable matrix (+ 6% compared to 2019), which it could be the result of a greater commitment by the attackers themselves to cover up these clandestine actions.

The data on the types of attacks detected in 2020 confirmed the predominant use of SQL Injection techniques to violate the IT infrastructures of the victims (60% of the total), following an initial phase of observation of the target’s technical vulnerabilities thanks to activities scanning of networks and systems. Spear-phishing campaigns (0.3%), to carry malicious software, such as Remote Access Trojan-RATs, used to acquire remote control of compromised resources, are numerically reduced, but of great results when they succeed.

Furthermore, Ransomware attacks have involved targets of national importance, both in the healthcare sector and the Made in Italy industry, exploiting for infection new connection methods activated for smartworking: a collection of strains and criminal gangs like Agent Tesla, Emotet, Netwalker, Sunburst, which have paralyzed companies such as Geox, Luxottica, Campari Group, Enel and many others.

ESPIONAGE AND APT
The “Sector” (“Il comparto”, in italian), that is the whole of our local intelligence, has also detected important campaigns for espionage purposes. Few (2.5%), but characterized by difficult identification, represent the most insidious for the country system, in terms of exfiltrated information, loss of operations and competitiveness, as well as expenditure of economic resources for their mitigation. The authors are defined Advancend Persistent Threat (APT) for the ability to infiltrate the productive and financial systems and after squeezing the information, they tend to sabotage, block or exchange it with other actors financed by rogue governments.

In this context, the report says, “the campaigns aimed at Ministries and primary national providers of electronic communications services, conducted through highly structured digital actions and with the use of sophisticated techniques and tools, seemed to be of absolute importance”, but also towards operators of essential services in the energy sector for which our cyber-guards have used many contrasting resources as in the case of the digital attack on the supply chain of the Texan company SolarWinds, due to the potential impact on national networks and systems whose scope is not yet clear to anyone.

FAKE NEWS AND DISINFORMATION
Finally, in regards to the hybrid threat — which affects the diplomatic, military, economic / financial sectors — there has been an attempt to poison the public debate through disinformation and / or influence activities, in the context of broader campaigns: “It is a very high production of fake news and alarmist narratives that was recorded, resulting in an information surplus (so-called infodemic) that is difficult for the community to discern”. There is also something for social networks: “The intrinsic risk factor in the phenomenon of online disinformation has continued to reside in the logic and algorithms underlying the very functioning of social media, tending to create a self-referential and self-feeding environment, based on sharing of the contents and relationships of interest which, by polarizing the available information, thus feeds its partial and biased perception ”.

Behind the apparently harmless “hoaxes” therefore, explains the Intelligence, there are state actors who mix disinformation campaigns and cyber attacks, to transform the pandemic into a long-term strategic advantage by influencing public opinion and national decision-making processes, as well as to damage our economic assets.

THE NATIONAL CENTER FOR CYBERNETIC SECURITY
Finally, ample space in the National Security document is given to the whole of the work carried out by the Sector, especially to get to the “Cybernetic National Security Perimeter” which obliges the operators of vital services for the country to comply with stringent security measures, the notification of accidents, the regulated purchase of ICT goods and services, for networks, information systems and IT services used by subjects included in the Perimeter.
But the report talks extensively about the whole process of strengthening the italian national cyber security architecture adjacent to the “Perimeter”, namely the implementation of the European NIS Directive; the security of 5G networks (with the national regulation on Golden Power and the European guidelines for the procurement of 5G technology from non-European suppliers); the activities of the Cyber ​​Security Nucleus and the CSIRT. To which we can add the awareness, communication and training activities carried out by the sector together with companies, media and universities.
With a final card that will have to be examined by the competent authorities as soon as possible and which concerns the creation of the National Center for cyber security. Boycotted by center-leftist parties Italia Viva and the Democratic Party during the previous government, it will have to be ready by the end of the year.

Note: Italy’s Intelligence System for the Security of the Republic is the collective name given to the authorities and organizations responsible for intelligence policies, intelligence coordination and intelligence operations. The Security Intelligence System includes: