Mirai botnet used for geopolitics

Why is Italy a major target for pro-Russia cybercrime ?

Italy is the third most-targeted country in the world. While the country is currently under the fire of organized cyber gangs, we might wonder why it’s such a juicy target ?

The 11th of May was a beautiful day for pro-Russia Killnet and Legion hacker groups. They attacked and compromised a dozen high-profile public institutions (the Senate, the Ministry of Defense, the Ministry of Homeland Security, the National Institute of Health…) as well as large companies.

All media have quickly linked the synchronized attacks to the Eurovision contest happening a few days later, where the winning of the Ukrainian music group was predictable.

But it’s not new.

At first sight, Italy seems a random step on the geopolitical road trip of these hacker groups: before targeting Italy, they have visited and attacked government and private companies in other NATO countries: the US, Germany, Romania, Poland, Estonia, Latvia, Czech Republic, … and obviously Ukraine. According to threat intelligence researchers, when the Russia-Ukraine war started, these russian tourists took the decision to redirect the Mirai botnet from commercial purpose to political purpose. With millions of compromised hosts, the Mirai botnet is a potential mass destruction weapon in the conflict.

Mirai botnet switching from commercial to political attacks. source : sysdig.com
Mirai botnet switching from commercial to political attacks. source : sysdig.com

Diving deeper, Italy is not just another random target:

In Q3 2021, Italy is ranked as the third most-attacked country in the entire world. All indicators point to a specific vulnerability of the Italian infrastructure:

On the public side, The National Security Agency has 100 employees while its neighbor (the French ANSSI) has close to 600 experts. This week, the minister of Innovation, Vittorio Colao, publicly shared a horrifying statement : “95% of the 11k servers of the Public Service are obsolete”. Not a surprise that, in 2020, cyber attacks targeting Italian administrations soared by 246%.

On the corporate side, Italian security teams need on average 203 days to identify a breach + 65 days to patch and contain. While German neighbors identify breaches in 123 days and fix it in 32 days.

While Italian security teams probably lack automation to identify and fix vulnerabilities, there is also a stress on talents: officials say Italy lacks 100.000 cyber experts to strengthen its security.

To sum things up, it looks like the Italian attacks are more tied to its infrastructure inner vulnerability than to its political posture in the current conflict. A complex equation to solve, where money is just one of the many unknowns, among government awareness, IT asset obsolescence and educational pathway.

As stated the Roman philosopher Pliny the Elder: : “The only certainty is that nothing is certain, thus fix that vuln please.” (not sure of the full quote)

Sources:

Killnet cyber attacks against Italy and NATO countries: https://sysdig.com/blog/killnet-italy-and-nato/

Mirai botnet: https://en.wikipedia.org/wiki/Mirai_(malware)

Spam and phishing in Q3 2021: https://securelist.com/spam-and-phishing-in-q3-2021/104741/

2022 Cyberedge Cyberthreat Defense Report: https://cyber-edge.com/2021-cdr-download/

IBM Security X-Force Threat Intelligence Index 2022 Full Report: https://www.ibm.com/downloads/cas/ADLMYLAZ

Hacker attacks, 100,000 cyber security experts are missing in Italy: https://news.italy-24.com/local/470394/Hacker-attacks-100000-cyber-security-experts-are-missing-in-Italy.html