Two infosec team members are accused of attacking Leonardo’s systems to perpetrate IP theft, highlighting the real issue of insider threats
One question often asked in security is whether an event is really a cyberattack when insiders are the ones who perpetrate the crime. Italian defense contractor Leonardo found itself asking that very question, when it discovered that a series of attacks which occurred within the Leonardo ecosystem between 2015 and 2017 had been carried out by two insiders—Antonio Rossi, a member of the company’s Cyber Emergency Readiness Team (CERT) and Arturo D’Elia, who identifies himself on LinkedIn as a member of the national CERT from January 2015 through March 2018.
This was not a case of two individuals injecting malware for the purpose of making themselves look good in responding and deflecting cyberattacks; rather, this was a case of two individuals who purposefully targeted groups within Leonardo (and their ecosystem of partners/consultants) for the purpose of lifting intellectual property. According to the official Italian police statement released Dec. 5, the two targeted the aerostructure and aircraft divisions of Leonardo.
IP Theft From Leonardo and Beyond
Rossi and D’Elia were discovered when anomalous traffic was detected exiting Leonardo to the website Fujinama.Altervista.org from a number of Leonardo workstations. The Italian police have seized and taken down the fujinama website—a snapshot of the site from the internet archive for 2017-18 shows the landing page consisted solely of a login. Subsequent investigation showed that advanced persistent threat (APT) attacks occurring within Leonardo between May 2015 and January 2017 were initiated by the two insiders.
According to the Italian police, the malware, which was placed on workstations via USB, captured both the keystrokes and screen captures. The data was sent to the fujinama website and then a command-and-control routine would remove any traces from the machine that it had been exploited. In total, it is believed the duo compromised 94 workstations used by multiple employees, including members of the company management. Of those, 33 of the workstations were located at the Leonardo Pomigliano d’Arco plant, according to police, and more than 10GB of data was exfiltrated from these machines.
The exfiltrated Leonardo data consisted of administrative, accounting, human resources, procurement, distribution and design components for civil and military aircraft (both domestic and international). In addition, data from 13 Alcatel company workstations were exploited, as well as an additional 48 workstations belonging to individuals within the aerospace/aviation production sector.
The information security teams from within other companies assisted in reconstructing the activities of these malevolent insiders.
Insider Threat Reality
For years, the duo successfully placed malware—which they and their teams were actively engaged in IP theft from the inside—behind the “perimeter.” The fact that they did it via an USB inserted into the targeted devices demonstrates the targeted nature of their efforts. This close-access methodology and their engagement with industry contractors (Alcatel and others) highlights the threat third parties are able to make a reality based on their access to personnel and infrastructure.
Entities with which this duo were previously associated would be well-served to review their infrastructure and archives for signs of compromise by either/both of these insiders. A quick review of the LinkedIn profiles of the pair highlight the key roles they played in the implementation and development of defensive infosec methodologies and processes within the Italian information technology sectors.
While trust within infosec and insider threat teams is paramount, the need to shift to the “trust no one” paradigm is evident. Without such a paradigm, the conundrum faced by every insider threat and infosec team continues: Who watches the watchers?