Italian police arrested two suspects allegedly for using malware to steal 10 GB of confidential data and military secrets from defense company Leonardo S.p.A.
Italian aerospace and electronics company Leonardo is one of the world’s largest defense contractors and 30% of it is owned by the Italian Ministry of Economy and Finance. The firm is headquartered in Rome, Italy having a large presence in the United Kingdom, the United States and Poland.
The two suspects – one of which was an IT manager for Leonardo were arrested for allegedly compromising the corporation’s network by executing malware able to quietly exfiltrate sensitive data.
According to Italian media, the suspects was allegedly using USB keys to infect 94 workstations with a trojan named ‘cftmon.exe.’ This trojan was named after the legitimate Windows file located at C:\Windows\system32\ctfmon.exe to evade detection.
The malware is believed to have been used for two years, between 2015 and 2017, to steal data and send it back to a command-and-control server at ‘fujinama.altervista.org.’
This C2 server has since been seized by the Italian police who has placed a seizure message on the website.
Around 10 gigabytes of data, equivalent to around 100,000 files, were stolen from the computers and the exfiltrated data included confidential accounting information, military secrets, and aircraft designs.
Italian prosecutors have accused the pair of “abusive access to computer systems, unlawful interception of electronic communications, and unlawful processing of personal data.”
The head of Leonardo’s cyber-emergency team was also placed under house arrest for allegedly misrepresenting the scope of the attack and hindering the investigation.
The prosecutors state that Leonardo’s security systems did not detect the malware as it was designed by the employee and not previously seen by antivirus programs.
In response Leonardo said that the arrests relate to an individual who is not an employee of the company, as well as a “non-executive” former member of staff.
The firm also added that they have provided maximum cooperation since the beginning and will continue to do so to enable the investigators to clarify the incident, and for their own protection as well.