Cyber ​​attack Lazio Region: who did it and what are the damages. Comments and analysis

It was defined by the Lazio Region as the "most powerful" cyber attack ever on an Italian infrastructure.

The hacker attack has been in progress for at least 24 hours, which has targeted the Ced of the Lazio Region which has also deactivated those of the Lazio Health portal and the vaccination network. According to the investigations that the postal police are carrying out in coordination with the Rome Public Prosecutor's Office, the attack comes from abroad.

Press sources reported yesterday that it was a ransomware, a virus that blocks computer systems by encrypting them and demanding a ransom in Bitcoin.

Agents are also investigating the request for a large bitcoin ransom.

At the moment, bookings for the vaccine in Lazio are still blocked. The hackers – still inside – would have managed to infiltrate the system by entering the profile of a network administrator and activating the so-called 'cryptolocker', which encrypts the data. Therefore, all the files of the Data Processing Center would be blocked.

According to Ansa , the hackers who attacked the Ced of the Lazio Region would not have had access to the health history of the millions of citizens who are included in the database of the regional health system. It is learned from qualified security sources according to which the attack, as regards the health part, hit the Cup booking system and the vaccination booking system. There would not have been a transfer of health data, even if the pirates would still have come into possession of various personal data. The IT infrastructure concerning the budget and civil protection would not have been touched.

Here is the opinion of the experts on the ongoing hacker attack on the systems of the Lazio Region.

GIUSTOZZI: "RAMSOMWARE ATTACK CONFIRMED"

“I confirm the ransomware and confirm that the attack is purely criminal: nothing ideological, no novax or anonymous as some have written. Pure and simple ransom note. Furthermore, the ransomware was inoculated directly on the systems through a surgical intrusion on a PC from which it was escalated. No phishing or social engineering emails: it was an attack on machines and not on people, done with the help of someone who knows the systems of the Region well ", commented one of the leading cybersecurity experts in Italy, Corrado Giustozzi .

"RANSOMWARE OF THE LOCKBIT 2.0 TYPE"

"Based on the evidence we have collected, circumstantial evidence and to be verified over the minutes, since the investigators do not unbutton themselves, the suspected ransomware would be of the Lockbit 2.0 type" specifies Arturo Di Corinto on Repubblica . In other words, it is "an updated version a few weeks ago of the Lockbit malware, currently the fastest and most dangerous among those that are sold on the Darkweb according to the" as a service "mode, that is, as legitimate software, paid by the module or by consumption, a kind of rent for the criminal instrument ".

AN ITALIAN COMPANY ALSO INVOLVED

"However, the attack would not only concern the Region and the vaccination reservation systems but various Italian companies" adds Di Corinto. “And it would have started from one of these last June. It would be a large Italian IT company that manages many activities related to digital health in full outsourcing, ie an external company whose operators have administration privileges on information systems, such as regional ones. Operators who, according to rumors, are themselves under attack together with their entire company, so much so that they have to reset their email accounts and activate two-factor authentication, the one with two passwords to understand each other. It would not therefore have been a targeted attack on the regional health system ”, points out Repubblica .

“I read more or less delusional comments on the“ powerful cyber attack ”on the systems of the Lazio region. Overlooking the fact that no one competent in the matter would ever say "powerful attack", and that computers do not go "haywire" because they are not pinball machines, some scattered considerations ", wrote on Twitter Stefano Zanero, professor in the Department of Electronics, Information and Bioengineering at the Milan Polytechnic.

3) I also read that "the data was not compromised". Now, I hope that's true, but if the systems have been hacked to the point of encrypting them with ransomware, it takes time and a very thorough investigation to rule out data breaches. I'm surprised that this can be said already now.

– Stefano Zanero (@raistolo) August 2, 2021

THE COMMENT OF INFOSEC

“For those who do not have a short memory, some considerations are spontaneous. The first: we are considering the services of a software system that has remained without CE marking, a defense that could well have protected citizens from this accident. The second: maybe that server falls within the category of that 95% of those declared by the same Minister Colao as "unsafe"? The third: is it possible that every time there is a tilt of the PA's computer systems, the announcement is limited to talking about a – this time powerful – "hacker attack"? " Stefano Gazzella commented on Infosec, the newspaper whose editorial director is Umberto Rapetto.

“And finally: where are the elements necessary to compose a valid communication to the interested parties required by art. 34 GDPR since there is no doubt that there has been a data breach with (at least) a temporary loss of data availability? Of course, hopefully that of the Ministry of Justice relating to the data breach of the bar exam will not be taken as an example ".

NAVACCI: "THERE IS NOTHING EXCEPTIONAL"