Leonardo-Finmeccanica, who are the two arrested (and what they did according to the prosecutors)
Arturo D'Elia and Antonio Rossi are the two arrested by the Naples prosecutor on charges of having stolen 10 gigabytes of data and information of significant corporate value from the Leonardo group (formerly Finmeccanica)
All the details of the investigation by the Naples prosecutor's office against two Leonardo employees.
The former employee of Leonardo arrested is Arturo D'Elia, who before being put on the door was in charge of managing the IT security of the former Finmeccanica group active in defense, security and aerospace. Yesterday he ended up in prison, at the disposal of the investigating judge of Naples Roberto D'Auria, accused of having stolen 10 gigabytes of data and information of significant corporate value.
WHO IS ARTURO D'ELIA
The alleged hacker, Arturo D'Elia, 38 years old from Eboli, is a former employee of Leonardo where he was in charge of IT security management.
D'ELIA'S CURRICULUM (SOURCE: LINKEDIN)
D'Elia since January 2010 – for 11 years – has worked on behalf of the public prosecutor of Benevento. Then he was IT consultant for Alenia Aermacchi (from September 2014 to December 2015) in Naples. He was also IT security consultant at NATO communications & information agency ( Nci Agency ), from February 2010 to November 2015, in Rome. From February 2004 to August 2014 he was IT consultant at Alcatel Lucent in Battipaglia. Before that, from February 2005 to February 2006, he was IT security consultant at the Air Force Office of special investigation ( Afosi ).
THE ACCUSATIONS OF THE NAPLES PROSECUTOR'S OFFICE
D'Elia is in prison while an employee of the company, Antonio Rossi, at the time of the events in the internal body for managing cyber attacks, is under house arrest with the hypothesis of misdirection, writes Repubblica , who adds: "In 'over two years, the Aerostructures and Aircraft divisions were spied through a "trojan" placed with a USB key inside 94 workstations, 33 of which at the Pomigliano d'Arco plant ".
LEONARDO'S NOTE
In relation to this aspect, Leonardo specifies in a press release that "classified data, ie strategic data, is treated in segregated areas and therefore without connectivity and in any case not present on the Pomigliano site".
ACCORDING TO THE BUYERS
For Neapolitan investigators, the data taken from the user profiles present on 33 computers in the company plant in Pomigliano D'Arco (Naples) refer to employees, even with managerial duties, engaged in business activities aimed at the production of goods and services of a strategic.
INFORMATION TRANSFERRED
According to what emerged, the information was "packaged", to hide it from the sophisticated security systems of the company, and then transferred – as if it were legitimate data traffic – on a web page called www.fujinama.altervista.org, for which the preventive seizure was requested and ordered, and today also carried out.
THE TROJAN OF D'ELIA
All thanks to a trojan created ad hoc by the hacker, obtained by modifying the source code of another malware, to make it even more effective and invisible, able to blend in with components of the Windows operating system.
THE ROLE OF D'ELIA
After the transfers, no trace remained of his presence and work. D'Elia, also facilitated by his position as a security expert, inoculated his new software jewel through a USB flash drive and transferred the company's confidential information over almost two years, between May 2015 and January 2017.
LEONARDO'S COMPLAINT
Leonardo realized that there was an anomalous data traffic and reported, starting the investigation. In D'Elia, the cyber crime pool of the Naples Public Prosecutor's Office (composed of prosecutors Mariasofia Cozza and Claudio Orazio Onorati, coordinated by the deputy prosecutor Vincenzo Piscitelli) contest the abusive access to the computer system, illicit interception of electronic communications and illicit processing of personal data . Initially D'Elia also supported the investigators of the Police and the Prosecutor's Office. Then, however, the latter became aware of his involvement and also had to worry about carrying out the activity while always keeping an eye on the unsuspecting suspect.
THE WORDS OF THE GIP ON D'ELIA
The investigating judge Roberto D'Auria retraces the steps, defined as "completely anomalous and unusual" that led to the relationship with Leonardo di D'Elia, writes Repubblica : "In his curriculum he boasted of having" repaired a flaw "in one of the brains of the Pentagon. In the archives, however, there is a first-degree sentence of one year for violating the computer system of an American base in Oklahoma. D'Elia's collaboration with the company was allegedly "supported" by Andrea Biraghi, a former executive then, writes the investigating judge, "dismissed by the decision of CEO Alessandro Profumo due to alleged irregularities in the management of subcontracts". In Biraghi, D'Elia had been reported by the former general of the carabinieri Romolo Bernardi who reported that he had been contacted through another officer of the Arma by Senator Franco Cardiello, D'Elia's lawyer. Biraghi, Bernardi and Cardiello are not involved in the investigation. The company, Leonardo reiterates, «the injured party in this affair, has provided and will continue to provide the utmost collaboration to clarify the incident and to protect itself» ”.
THE PARADOX ON D'ELIA IN LEONARDO
The paradox – added Corriere della Sera – “is that D'Elia, when the investigations by the Public Prosecutor had already begun, not only continued to carry out his work as an incident handler to collect evidence of the intrusion, but even supported the Postal Police in the preliminary checks ".
THE ARREST OF ANTONIO ROSSI DI LEONARDO
No less serious was the position of another Leonardo employee, Antonio Rossi, who was on duty at the Cyber Emergency Readiness Team: for the investigators of the CNAIPIC (directed by Ivano Gabrielli) of the Central Service of the Postal and Communications Police (directed by Nunzia Ciardi ) and the Campania Compartment of the same service, would have misled the investigations.
THE ACCUSATIONS OF THE NAPLES PROSECUTOR'S OFFICE
A precautionary measure under house arrest was issued against him at the request of the investigating office led by the prosecutor Giovanni Melillo. Rossi, in fact, had reported that the stolen data were to a much lesser extent than the reality. In addition, he would also have hidden and then made disappear a computer containing the data of the cyber attack.
WHAT THE CORRIERE DELLA SERA WRITES
Corriere della Sera writes: "An entire paragraph of the precautionary order is dedicated to the misdirection carried out by Antonio Rossi, who in 2017 presented the first, incomplete complaint on the theft of data: for the judge" he affirmed the false, denied the true and kept silent in whole or in part what he knew about the facts about which he was heard ""
+++
THE CURRICULUM OF ARTURO D'ELIA ( taken from here ):
EXPERIENCE
CTO @ Finmeccanica • Employee
May '10 – Present (10 years 7 months)
CTO @ CERT DEFESA • Employee
Feb '10 – Present (10 years 10 months)
Engineer @ AREACOM43 • Employee
Fintech Business and Communication Company
CTO @ Alcatel SPA
February '05 – May '10 (5 years 3 months)
INCREDIBLE THINGS MADE BY ARTURO
I have developed a Linux Live Distibution to perform forensic operations by capturing data from device storage. The project is currently being used by. State Police and Military Corporation and is constantly updated. Project name: FHC (Forensic Hard Copy) www.fhclive.org
I have developed an exploit for the Sun Solaris 5.6, 5.7, 5.8, 5.9, 5.10 vulnerability; I have created multiple scripts for the fix. The vulnerability was present on Pentagon Systems (US AirForce) USAF. I solved this problem with US support.
EDUCATION
University of fisciano
IT • September 2002 – December 2006
ITIS computer science
Informatics • September 1997 – July 2002
+++
PRESS RELEASE OF THE POSTAL POLICY AND COMMUNICATIONS (5 DECEMBER 2020)
As a result of complex investigation activities of the Cybercrime Working Group of the Naples Public Prosecutor's Office, aimed at defining the contours of a serious attack on the IT structures of the
Aerostructures Division and the Aircraft Division of Leonardo SpA, the CNAIPIC of the Central Service of the Postal and Communications Police and the Campania Department of the same service carried out two orders for the application of precautionary measures against a former employee and a manager of the aforementioned company, the first being seriously suspected of the crimes of abusive access to the computer system, unlawful interception of electronic communications and unlawful processing of personal data (respectively provided for by articles 615-ter, paragraphs 1, 2 and 3, 617-quater, paragraphs 1 and 4, Criminal Code, and 167 of Legislative Decree 196/2003, in relation to Article 43 of Legislative Decree 51/2018) and, the second, of the misdirection crime (Article 375, paragraph 1, letter a and b , and 2, cp).
In this regard, the following is announced.
In January 2017 the cyber security structure of Leonardo SpA reported anomalous network traffic, outgoing from some workstations of the Pomigliano D'Arco plant, generated by an artifact software called "cftmon.exe", unknown to company antivirus systems .
The anomalous traffic was directed towards a web page called “www.fujinama.altervista.org”, whose preventive seizure was requested and ordered, and today carried out.
According to the first complaint by Leonardo SpA, the IT anomaly was limited to a limited number of workstations and characterized by an exfiltration of data deemed not significant.
Subsequent investigations have reconstructed a much more extensive and severe scenario.
In fact, the investigations showed that, for almost two years (between May 2015 and January 2017), the IT structures of Leonardo SpA had been hit by a targeted and persistent cyber attack (known as Advanced Persistent Threat or APT), since it was carried out with installation in target systems, networks and machines of a malicious code aimed at creating and maintaining active communication channels suitable for allowing the silent exfiltration of significant quantities of classified data and information of significant corporate value.
In particular, at the state of the acquisitions, it appears that this serious cyber attack was carried out by an IT security manager of Leonardo SpA itself, Mr. Arturo
D'Elia, against whom the GIP of the Court of Naples ordered the measure of pre-trial detention in prison.
It emerged, in fact, that the malicious software – created for illicit purposes whose complete reconstruction is underway – behaved like a real newly engineered Trojan, inoculated by inserting USB sticks into the spied on PCs, able to to start automatically each time the operating system is run.
It was therefore possible for the hacker to intercept what was typed on the keyboard of the infected stations and capture the frames of what was displayed on the screens (screen capturing).
Confidential company data of Leonardo Spa's Pomigliano D'Arco plant were thus in fact in full control of the attacker, who, thanks to his corporate duties, was over time able to install multiple evolutionary versions of the malware, with capacity and effects always more invasive and penetrating.
Finally, the investigations made it possible to reconstruct the anti-forensic activity of the attacker, who by connecting to the C&C (command and control center) of the "fujinama" website, after downloading the stolen data, remotely deleted all traces on the machines compromised.
According to the reconstruction carried out by the Communications Police, the computer attack thus carried out is classified as extremely serious, as the surface of the attack affected 94 workstations, of which 33 located at the company plant in
Pomigliano D'Arco.
On these workstations, multiple user profiles were configured in use by employees, even with managerial duties, engaged in business activities aimed at producing goods and services of a strategic nature for the security and defense of the country.
The severity of the accident also emerges from the type of information stolen, taking into account that the 33 target machines located in Pomigliano d'Arco have currently exfiltrated 10 Giga of data, equal to about 100,000 files, relating to administrative / accounting management, the use of human resources, the procurement and distribution of capital goods, as well as the design of components for civil aircraft and military aircraft for the domestic and international market.
In addition to company data, the access credentials and other personal information of Leonardo employees were also collected.
In addition to the computer stations of the Pomigliano D'Arco plant, 13 stations of an Alcatel group company were infected, to which another 48 were added, in use by private individuals as well as companies operating in the aerospace production sector.
Alongside the IT investigations, the more traditional investigative activities were fundamental, which also made it possible to reconstruct the "cybercriminal" training path of the suspect identified as the material perpetrator of the attack, currently employed at another company operating in the computer electronics sector.
Further investigations made it possible to collect also convergent evidence of guilt regarding the commission of the crime of misdirection by the CERT manager. (Cyber
Emergency Readiness Team) of Leonardo spa, a body responsible for managing the IT attacks suffered by the company.
Against the latter, Mr. Antonio Rossi, the precautionary measure of home custody was applied, resulting in serious indications of guilt with reference to insidious and repeated evidential pollution activities, aimed at giving a false and misleading representation of the nature and effects of the cyber attack and to hinder the investigations.
This is a machine translation from Italian language of a post published on Start Magazine at the URL https://www.startmag.it/innovazione/leonardo-finmeccanica-chi-sono-e-cosa-hanno-fatto-secondo-i-pm-i-due-arrestati/ on Sun, 06 Dec 2020 11:03:49 +0000.