Curious article on arrests and NATO cyber-hacking in Italian news

Thank you Gary for the translation:

From the image below:

Defense in the Crosshairs

A hacker at Leonardo arrested . Worked for NATO and PM

D’Elia was consultant for the group. Removed 100,000 files. “Sensitive and military data saved” House arrest also for an employee
-by Claudio Antonelli

An “earthquake” in the world of cybersecurity. A raid by the Prosecutor’s (Office) in Naples has resulted in house arrest for an interim consultant and an employee of Leonardo directly employed at the CERT. (Cyber emergency readiness team), The division that is assigned to block hacker intrusions. The accusation by the Public Prosecutor is very serious. It is believed that for two consecutive years, he (penetrated) 33 computers used at the establishment of Pomigliano d’Arco, used by employees of Leonardo and approximately another 60 used from outside or other companies like Alcatel.

“It has emerged, in fact,
Inset: According to the prosecutor a trojan was used in the computers of Pomigliano d’Arco
……that the malicious software , in the statement released by Prosecutor Giovanni Melillo, for a year, the husband of English ambassador, Jill Morris, “acted like a true trojan of new engineering, inoculated through the insertion of a small USB key in the personal computers being spied on, in a way as to automatically forward each action of the operating system.”

In practice, it was possible for the hacker to intercept what was typed on the keyboard of the infected (computer) station and capture the frames, making a sort of screenshot.
The investigations finally have allowed the reconstruction of the “anti-forensic” activity of the attacker, who, connecting it to the command and control center of the website “fujinama”, after downloading the stolen data, remotely cancelled each trace on the compromised machines.

“The informatic attack, thus carried out, according to the reconstruction by the communications police is classified as extremely serious given the persistence and length of time, the statement continues. According to the charges, over 100,000 files are believed to have been taken from just 33 computers, equal to at least 10 gigabytes of data, chiefly from Leonardo.

The company, for its part, has released a statement pointing out that the activity relative to the site of Pomigliano is not of a military nature and that “ classified or strategic data is handled in segregated areas without connectivity, and therefore, not present in the establishment.” According to Verita, in the network of illegal fishing, there is no end of sensitive files for national security, so much that in these months of investigation, the Dis.* (Sistema di Informazione per la Sicurezza della Repubblica) would not have been alerted.

To understand, however, the exact contours of the matter will be difficult Giving the alert was the same giant (Leonardo) led by Alessandro Profumo, reporting (in January 2017) devious flows coming from computers in use at the establishment where they insist that Boeing, for over a year, was interested in a partnership with the Chinese of Comac. Verita is able to reveal that the representative of the company to conduct the investigation was reportedly Antonio Rossi, among the responsible persons at Cert. who, however, has ended up under house arrest charged with corrupting the tests.

Finally, to stir interest from a journalistic point of view, there is the name of another protagonist of the story, as of yesterday, under house arrest with the even heavier charge of illegal access, illegal intercepts, and illicit handling of data. This is Arturo D’Elia, certainly not a novice in the field of cybersecurity. Over the years, he is believed to have worked for several Italian prosecutors’ offices and for other sensitive companies. Like Alenia Aermachi and Alcatel. Now an injured party of the Naples case. In the curriculum of the expert, there are “spicier” jobs. From 2010-2015, he was a consultant for NCI, the government agency of NATO, concerned with cybersecurity, missile defense, and NATO information technology systems spread around the globe. Work that has brought him considerable expertise (or money?) given that he was reportedly tapped in the past with piercing the security of an Alliance site on Italian territory.
If that isn’t enough to comprehend the weight (importance) of D’Elia, it is helpful to take a further step back in his resume to the beginning of his activity.

He himself on Linkedin states that he has lent his consultant services to Afosi. The acronym will not say much to most (people). This is the Air Force Office of Special Investigation, with its base at Quantico. Translated: The counter espionage of American aviation. We don’t have knowledge if what is stated in Linkedin is true. For sure, if D’Elia decided to talk to investigators , he could say a lot about his cyber capacity.

It remains to be understood what caused the sudden acceleration of handcuffs (arrests) in a case initiated almost three years ago. And that it happened at a very delicate moment for the world of Defense and geopolitics in general. Change of presidents beyond the Ocean and Europe confronts a delicate transition destined to modify the (particulars) of numerous bi-lateral relations on four corners of the Continent.

[Some of this doesn’t make perfect sense. If anyone who speaks Italian wishes to add corrections to this, please post them in the comments. Thank you Gary for the work on this.]

Three authoritative articles on the massive attack on Western systems

1. From an excellent source:

2. The Strategic Implications of SolarWinds

(Article from left leaning site, but we are told, this is a good summation. Apparently, ONLY the Penatgon has not been hit.)

Recent reports of a widespread Russian cyber infiltration across U.S. government networks are a sign of how great power competition will play out in the 21st century. The new great power game is digital, with the shadowy alleys and cafes of Cold War spy games replaced by massive data breaches and compromising corporate security. Some strategies see this world as dominated by offensive operations—but the SolarWinds case suggests the opposite. The U.S. Cyber Solarium Commission, on which we served, found that the future of cybersecurity strategy will come to rely on layered cyber deterrence to enable defensive denial operations, international entanglement and cost imposition when aggressors defy the norms of the international system. The SolarWinds hack emphasizes the importance of implementing this strategy. 

It’s simpler to list the agencies that have not been caught up in the SolarWinds infiltration, which was run by Russian hacking group APT29 under the umbrella of the Russian intelligence services, the SVR. So far, only the intelligence community has not been reported to have been breached. 

3. Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations


This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) version 8 framework. See the ATT&CK for Enterprise version 8 for all referenced threat actor tactics and techniques.

The Cybersecurity and Infrastructure Security Agency (CISA) is aware of compromises of U.S. government agencies, critical infrastructure entities, and private sector organizations by an advanced persistent threat (APT) actor beginning in at least March 2020. This APT actor has demonstrated patience, operational security, and complex tradecraft in these intrusions. CISA expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations.

One of the initial access vectors for this activity is a supply chain compromise of the following SolarWinds Orion products (see Appendix A).

  • Orion Platform 2019.4 HF5, version 2019.4.5200.9083
  • Orion Platform 2020.2 RC1, version 2020.2.100.12219
  • Orion Platform 2020.2 RC2, version 2020.2.5200.12394
  • Orion Platform 2020.2, 2020.2 HF1, version 2020.2.5300.12432

Note (updated December 19, 2020): CISA has evidence that there are initial access vectors other than the SolarWinds Orion platform. Specifically, we are investigating incidents in which activity indicating abuse of SAML tokens consistent with this adversary’s behavior is present, yet where impacted SolarWinds instances have not been identified. CISA is working to confirm initial access vectors and identify any changes to the TTPs. CISA will update this Alert as new information becomes available.

Thank you ML for these materials.