Cyber-warfare and cyber-espionage: a new frontier of conflict

(To Nicola Cristadoro)
07/11/24

Contemporary states are now heavily dependent on the computer network. This is true both for the lives of individual citizens and for the institutions of a country. It has become indispensable for their functioning and, if on the one hand it constitutes an enormous facilitator allowing an almost immediate availability and capacity for exchanging information, on the other hand it presents an intrinsic fragility of the system.

Despite all the precautions taken to protect it, it can be violated at any time and damaged even in the most vital points, generating damage greater than that of physical-kinetic attacks conducted with conventional weapons and techniques, with significantly lower costs and risks. In fact, all physical systems and so-called critical infrastructures, such as power plants, hospitals, rail or air traffic control systems, are connected and controlled through interconnected computer systems.

This methodology of warfare, defined cyber warfare, has changed the spectrum of conflicts, so much so as to induce NATO to raise the cyber space (cyberspace) to “fifth domain” after earth, sea, sky and space1 and, in turn, is defined:

"Set of interconnected IT infrastructures, including hardware, software, data and users as well as the logical relationships, however established, between them."2

There are many attack methodologies in cyber warfare, among which the most significant are:

  • attack on critical infrastructure: attack aimed at essential services for a country including energy, water, fuel, communications, trade, transport and military services;

  • vandalism website: attacks aimed at modifying pages website without having authorization, called in jargon deface, or to make temporarily unusable the server (attacks denial of service);

  • disarticulation of equipment (equipment disruption): attacks against military units using computers and satellites to coordinate in order to intercept, modify or replace orders and communications to compromise operations;

  • data collection: actions aimed at intercepting or modifying classified information that is not adequately protected. In this context, two rather sophisticated techniques are worth mentioning: sniffing and spoofing.

Lo sniffing è “… a basically passive surveillance and interception of data in transit on a computer network, in this way it is possible to obtain data, perhaps encrypted, which can be decrypted at a later time, in order to obtain the information contained therein. In practice, these interception activities are conducted by means of network analyzers (so-called sniffers), both in physical form and in the form of an information program, and which are often equipped with both data filtering capabilities (in order to intercept only the data packets deemed to be of interest) and storage capabilities for the intercepted data.”3

Lo spoofing is: “…the impersonation by a malicious user of a device or another user, in order to steal data, spread malware or, in any case, bypass system access controls. The multiformity of this technique is inherent in the fact that the falsification can have as its object a large variable of components of a communication. For example, it is possible to falsify the initial part of a train of pulses, so that the network recognizes it as authorized to access (IP spoofing). But it is also possible to divert the communication to an attacker, who pretends to be the real sender or recipient (DNS spoofing). It is also possible to combine this technique with phishing to simulate that the bait email comes from an address that the user can recognize as real.”4

  • propaganda: messages sent or made available online for the purpose of influencing public opinion (psychological warfare and fake news).

Among the weapons used by these cyber warriors the most common are the malware or from software that compromise or damage the normal functioning of a system or the information it manages or processes. Within this family we find computer viruses (malware which exploit vulnerabilities in an operating system, causing damage to the system itself, slowing it down or making it unusable) and trojan (malware hidden inside other programs that once activated, often by the same legitimate but deceived operator, allow remote control of the computer by third parties).

Such attacks are usually perpetrated by so-called hacker IT, but when the threat becomes more complex both in terms of the methodologies and technologies used and the targets against which it is carried out, we speak of Advanced Persistent Threats (AP),5 definition coined by the US Air Force in 2006.

Analyzing this acronym we understand that:

  • Advanced: the adversary is equipped with both high technical skills and significant technological and economic resources. This means that for attacks it is able to use not only from software publicly available, but also created , more versatile and complex to detect. Furthermore, to gather information on its targets the group could use extremely sophisticated tools and, potentially, also rely on the services of intelligence of the country of origin;

  • Persistent: the adversary is not driven by a predatory and opportunistic mindset aimed at achieving immediate objectives. The approach is persistent and maintaining access to systems for the longest possible time is a key factor of any APT. The more time spent inside the target infrastructure without being identified, the more information will be collected, the gain for the attacker and the damage for the victim;

  • Threat: it is an organized threat, with goals, a clear will and a strategic vision that does not carry out "trawl" attacks hoping to obtain something.

Such a structure requires a huge use of technological and financial resources, as well as very long preparation and execution times for the attack; for these reasons the size of the APT objectives is normally of great relevance.

At present there are more than 300 APTs operating in the cyberspace. We want to focus our attention on APT28, as a threat that is particularly emblematic of the variety of objectives of this type of extremely aggressive and pervasive intelligence.

Nobody is safe: Some examples of APT attacks 28

Over the past 10 years, experts have attributed numerous attacks to APT 28, which have often resulted in the leakage of sensitive information and its use to discredit or delegitimize state actors or international organizations.

Following the political evolution of the 28s, which saw the fall of the Berlin Wall, which contributed significantly to the subsequent disintegration of the Soviet Union, many newly formed ex-Soviet Republics subsequently joined the European Union or NATO, despite the Russian government having repeatedly demonstrated that it still has economic, political and military interests in those areas defined as satellites. These governments are often the target of attacks by APT XNUMX.

An example of this is represented by the attacks, with at least two specific attempts, against Georgia, a country where many citizens express a strong pro-European sentiment. The first attack in 2013 had as its target the Ministry of the Interior: using a e-mail deemed legitimate by the recipient, APT 28 induced the victim to open a excel file with a list of driving licences, through which a so-called backdoor cuts for data exfiltration and compromise of local government computer systems. In the same year there was a second attack with a decoy consisting of a document apparently linked to the operating system Windows di Microsoft, but with a special one inside malware aimed at undermining the security of the computer network and allowing its penetration. Furthermore, in the same period, attempts to attack the network of the Ministry of Defense were detected, with particular attention to all data concerning training conducted by contractors Americans to the armed forces of the Caucasian country.

In a similar context, the registrations of domains by APT 28 must also be considered. website similar to those of legitimate Eastern European news sites and governments, such as standartnevvs(.)com very similar to the Bulgarian news site online whose real address is standartnews.com, or qov(.)hu(.)com similar to the Hungarian government domain extension gov.hu and again, the false dominion mail(.)q0v(.)pl, which in a deceptive and deliberate way, leads back to the truth mail server Polish mail.gov.pl. These and other domain registrations used to carry out attacks not only suggest that APT 28 is interested in the political affairs of Eastern Europe, but also that the group is directly targeting governments in that part of the continent. Furthermore, APT 28 registered a domain similar to the one used for planning and conduct sessions (baltichost [.] Org) after the joint military exercises of logistics planning between the Baltic States in rotation and the Partner of NATO, carried out since 2009.

This event suggests that APT 28 attempted to steal sensitive military information from its targets at both tactical and strategic levels. In addition, against NATO, similar events occurred when additional fake domains, always attributable to APT 28, were created to deceive users. In particular, when the domain was discovered born.nshq(.)in, remarkably similar to the real site website of NATO Special Operations Headquarters nshq.nato.in, or as in the case of deception towards users of the Organisation for Economic Co-operation and Development (OECD) to whose detriment the false domain was created login-osce(.)org, parallel to the real one osce.org. Subsequently, starting from 2014, in order to obtain information on new platforms and weapon systems intended for military use developed by European countries, APT 28 was able to create fake domains aimed at deceiving military personnel who participated in various exhibition events such as, for example, theAir Show of Farnborough (Great Britain) in 2014 and beyond. A further example of a refined ability to obtain information was seen in the creation and registration of the false domain smigroup-online.co(.)uk, attributable to the group SMi Group, a company that plans events for the defense, security, energy, utilities, finance and pharmaceutical sectors.

To date, among the attacks carried out by APT 28, one of those that has had the greatest media impact is the case of the violation and compromise of the database by WADA (World Anti-Doping Agency), the international agency antidoping, during the 2016 Rio Olympics. This attack is a paradigmatic example of the effectiveness of the hybrid approach to cyber warfare, if we compare the ease and resources used to carry out the attack and the effects of moral and professional delegitimization that the athletes, federations and consequently the states affected have suffered. These events occurred following the exclusion of many Russian athletes from the Olympic Games, after the publication of a heavy report by a WADA commission and the subsequent scandal doping. In August 2016 APT 28 managed to gain access to the database of the WADA Anti-Doping Administration and Management System (WADA's Anti-Doping Administration and Management System-ADAMS) through an action of spear phishing and theft of credentials to the detriment of the Russian athlete Yuliya Stepanova. Using these credentials APT 28 managed to enter the databases and take possession of the medical data of all the athletes participating in the Olympics, including exemptions for therapeutic use of some substances considered doping, granted by international sports federations and national organizations antidoping. APT 28 has therefore released a list of athletes, mostly American, German, British (including tennis players Serena and Venus Williams and gymnast Simone Biles) who, although they tested positive for doping, were not sanctioned because of the exemptions granted to them. These documents, the hacker, would represent evidence that some athletes, due to their nationality, receive preferential treatment and against the groundlessness and illegitimacy of sanctions against Russian athletes. APT 28, therefore, has exploited the combination of the simplicity of modern technological systems, the underestimation of digital security measures and the capabilities of its specialized personnel to carry out a new form of information operations at a strategic level, also using unusual fields such as sports orantidoping.

Nobody is safe: the private security company's "dossier" equalize

The “cyber” events that shook our country in the fall of 2024 are no less susceptible to being discussed in an article like this. The reference is to the case of “dossier-making” carried out at the national level by the private intelligence agency equalize, with all the implications it had at an international level. Certainly the phenomenon of "dossier-making" as a tool for pursuing private goals in an institutional context is not in itself a novelty, nor is it a purely national prerogative: it would be enough to read one of the many novels by James Ellroy, in which the procedures of the FBI and other US government and private agencies are narrated in great detail during the years of the "witch hunt", officially charged with identifying and repressing the infiltration of communism in American territory. To provide an imaginative picture of what happened in Italy in the long autumn of 2004, an extract from an interior monologue of a fictional character, Maurizio Ferri, a SISDE agent who works undercover, seems effective, created by the pen of Mauro Marcialis, a local author who boasts a long career as a non-commissioned officer of the Guardia di Finanza:

“Forty-three years, twenty-four years of service. I’ve seen it all! I’ve seen obvious fingerprints become inexplicable burns, I’ve seen inexplicable burns become obvious fingerprints. I’ve seen lists of scoundrels turn into electoral lists, I’ve seen potential MPs turn into cannon fodder. I’ve seen entire filing cabinets crumble to dust, I’ve seen dust recompose to create official archives.”6

The inspiration is clearly the monologue pronounced at the point of death by the replicant Roy Batty in the science fiction film Blade Runner, but the activity of cyber espionage made in Italy by equalize transposes the dystopian dimension of Ridley Scott's film into a reality with certainly less epic tones.

Between 2022 and 2024, approximately eight hundred thousand people and companies were subjected to information collection conducted using illegitimate methods, through intrusion into personal computer and cell phones, in order to create dossier to be used for private purposes at the disposal of the security company equalize:

“Certainly, the spies were often the maintainers and managers of the IT security of the IT systems of the individuals or companies, often institutional, spied on. Around the security company Equalize moved a world above any suspicion of managers and policemen, people with a relational network and a wealth of contacts that allowed the company and its proxies to move with ease, ease and agility. … Certainly only the sixteen investigated for criminal association aimed at unauthorized access to databases, corruption, extortion and a trail of other crimes are able today to explain why they collected millions of private and confidential data on the highest officials of the State, on companies, politicians and private individuals and what use they wanted to make of it.”7

The investigation has revealed prominent figures who immediately recall a climate such as the one described by Marcialis: Enrico Pazzali, president of the Fondazione Fiera Milano and main shareholder of the equalize; the former anti-mafia “super cop” Carmine Gallo, CEO of the company; the engineers Samuele Calamucci and Gabriele Pegoraro, experts hacker; Giuliano Schiano, a sergeant-major of the Guardia di Finanza serving in the Anti-Mafia Investigation Directorate of Lecce. The system provided that the company Equalize srl, together with shell companies such as the Develope and go Srls (Day) owned by Giulio Cornelli and based in Reggio Emilia and the Mercury Advisor - which, together with an investigation company from Reggio Emilia, constitute the only two companies to which Dag Srls officially offered services -8 make their resources available in terms of men, means, skills and contacts for investigations commissioned by private individuals for commercial, private and political purposes.

The violated databases are the most important and strategic ones of the country system: the Interchange System (Sdi) and the Serpico of the Revenue Agency, used respectively for the management of electronic invoices and for the control of tax returns; the currency information system (Siva), through which all reports of suspicious transactions pass; the databases of the INPS and the national registry (ANPR). With this data available, it is possible to proceed with activities of social engineering with which to rebuild people's lives, violating their privacy and life paths. The organization under investigation has a “cluster structure”, in which each member and collaborator in turn has contacts in the police force and in the various branches of the public administration, with which to collect data illegally.

In an interception, Calamucci declares:

“We are lucky to have top clients in Italy... our important clients... we have contacts between the deviant services and the serious secret services, you can trust those a little less, however, we hear them, they chat, it's all a series of information but it should become evidence, because when you grow up, you create envy, above all”9.

But that's not all. According to the magistrates in charge of the investigation, CEO Gallo (photo) would have had relations with organized crime and, as proof of the dangerousness of the group, there would also be 128 illegal accesses to the archive of the Aisi (the internal secret service). The group boasts of "being inside the Viminale" and of having "cloned an email account of the Presidency of the Republic".

With regard to the activities reported in the news, however, it would seem that the conduct was less sophisticated than one might imagine, since in most cases it was a simple social engineering, with the theft of remote access credentials: in one case through the theft of the electronic card and use of the Password written under the keyboard; in a second case the subject authenticating himself was filmed from behind and thus the Password; in yet another case they acted through the Phishing on e-mail victim's staff, gained access to which they then reconstructed the entire log file.

However, there are not only Italian personalities among the victims of the “dossier”. Among those under scrutiny we also find two Russian-Kazakh oligarchs very close to Putin and with business in Italy. These are Andrey Toporov, active in Italy in the tourism sector, owner of luxury hotels between Cortina d'Ampezzo and the Jesolo coast and Victor Kharitonin, a pharmaceutical magnate, friend and partner of Roman Abramovich and already included by Forbes magazine among the richest men in the world:

"The Milanese gang of spies is said to have carried out research on foreign investors, especially Russians. And it is said to have attempted to build a network of servers abroad to bypass controls, perhaps even to provide information to "foreign agencies". This is also part of the investigation by the Milan DDA, coordinated by prosecutor Francesco De Tommasi, which also led to the seizure of servers in Lithuania used to penetrate the databases of the Viminale. It was Nunzio Samuele Calamucci, the group's hacker, who revealed that the "Beyond platform", the information aggregator software created by the gang, "is connected to two central servers, one located in London and one located in Lithuania". A mirror company of the Milanese one, Equalize Ltd, was apparently set up in London, where a group of "young men" who were responsible for "direct access" to the SDI archive of the police force operated. For this reason, investigators are also evaluating the possibility of a rogatory letter to the English authorities. In this context, contacts with "secret services, even foreign ones", and reports on some Russian entrepreneurs emerged."10

And it is precisely this last part of the "dossier" that opens up complex and very interesting perspectives on scenarios worthy of the best intrigues of John Le Carrè's novels, with dark plots that would involve the Mossad and the Vatican. Whether it is true or not, one cannot deny a certain fascination to the entire story:

"The meeting with the Israeli 007s takes place on February 8, 2023. The contact is a former Carabiniere of the ROS with duties in the SISMI called Vincenzo De Marzio. He is accompanied by two unidentified men "who would represent an articulation of the intelligence of the State of Israel". They want monitoring of the attacks of Russian hackers and the interception of the bank movements of the Wagner Group. Because they want to stop the financing of the oligarchs to the Prigozhin gang. In exchange they promise information on the illicit trafficking of Iranian gas in Italy. And a million euros in compensation.

Then there is the report requested by the Vatican. "I need the data to go against the oligarch, Putin's right-hand man. Do we help the Church against Russia or not?" says Calamucci. "If they pay us...", Gallo replies. "Pro bono for the Pope?", they joke."11

It must be said that the case of theequalize, although the most sensational, was only the latest in a series of similar events:

"The investigation into the dossier that broke out in Milan and which involves names from the financial world and beyond is not an isolated case but only the latest in a series of similar episodes that have occurred since the beginning of the year. …

It begins with what has been called the "Striano Case", from the name of the Lieutenant of the Guardia di Finanza who ended up in the maxi investigation of the Perugia Public Prosecutor's Office capable of bringing to light a real illegal activity linked to thousands and thousands of illicit accesses to various databases to create real "dossiers" on celebrities and politicians. The investigation was triggered by the complaint of the Minister of Defense, Guido Crosetto, one of the main targets of Pasquale Striano's activity, but not only. …

The second is much more recent. A few weeks ago, the Roman judiciary arrested a young man, Carmelo Miano, who was above suspicion and had no criminal record. Environmental wiretaps and extensive investigative and technical activity brought to light the irruption of the twenty-four-year-old into the databases of the Ministry of Justice and several courts in the country. It was discovered that Miano had access to the emails of hundreds of judges and magistrates spread throughout Italy, as well as the passwords for the computers of almost 50 investigating magistrates. …

A few days later in Bari the illicit activity of an employee of a branch of Intesa Sanpaolo, Vincenzo Coviello, was discovered. The banker checked, for what he himself defined to the magistrates as "simple personal curiosity", the movements of the current accounts of several politicians, first of all those of the President of the Republic, Mattarella, and the Prime Minister, Giorgia Meloni. But there was no shortage of athletes, VIPs from the world of television and entertainment. 3500 accounts checked in total."12

At this point, let's see what kind of national security organization has been created to counter this type of insidious and ramified threat.

The Evolution of the National Cyber ​​Security System

Before continuing, it is appropriate to give a definition of what is called “national cyber crisis”, according to the dictates of the national security organization:

"Situation in which a cyber incident takes on such dimensions, intensity or nature as to affect national security or to be unable to be addressed by the individual competent Administrations in the ordinary way, but through the adoption of coordinated decisions at an inter-ministerial level. In the event of a national cyber crisis, the Cyber ​​Security Unit (NSC)."13

The Italian State, in order to effectively deal with threats cyber, has long since initiated a reform of the cyber defence system, within the framework of an integrated system at European level.

To this end, in May 2018 the Parliament transposed the European NIS Directive (Network and Information Security),14 introducing it into the Italian legal system. This directive addresses for the first time at European level, in an organic and transversal way, the issue of cyber security, contributing to increasing the common level of safety in the member countries.

As required by this provision, the competent Italian authorities have identified the Essential Service Operators (OSE) and the Digital Service Providers (DSD) for each of the sectors covered by the directive: energy, transport, banking, financial market infrastructures, healthcare, supply and distribution of drinking water and digital infrastructures, for a total of 465 entities, both public and private. The law has obliged these operators to adopt best practices for risk management. The standard has also identified the methods for evaluating actual compliance with these: an aspect, that of compliance with the standards, which truly makes the culture of cyber security take a leap in quality.

Following the publication in the Official Journal in November 2019, a Prime Ministerial Decree established the Computer Security Incident Response Team (CSIRT)15 Italian, that is, a team prepared to intervene in the event of a cyber attack. This team It is placed under the direct control of the Department of Information Security (DIS) with the task of preventing and managing cyber incidents or attacks by communicating in real time with the European Union member states that may be involved in the critical situation, thus obtaining greater effectiveness in defensive action.

The CSIRT will implement the work carried out so far by the Cyber ​​Security Unit (NSC) and the activation of the national cyber security perimeter approved in September 2019 by the Government. Subsequently, the DIS, the Ministry of Economic Development and the Agency for Digital Italy (AGID) will sign agreements to ensure the transfer of the functions of the Computer Emergency Response Team (CERT) national and Computer Emergency Response Team of the Public Administration (CERT-PA) to the Italian CSIRT which, to carry out its tasks, will use the AGID as provided for by the NIS legislative decree. The decree establishing the CSIRT will require 180 days for its provisions to come into force; therefore, this new body dedicated to the defense of Italian cyberspace will only be operational starting from May 2020.

While waiting for this structural and regulatory evolution, CERT-PA has recently started the operational tests of the national platform for countering cyber attacks.16 This platform will aim to transmit indicators of compromise, notify and represent cyber risk events in different scenarios.

Public administrations and users who will use the service will be able to rely on the platform for the automatic recognition of any cyber threats. Thanks to it, the data of cyberattacks, automatically collected and reported, will be immediately analyzed to promptly activate an integrated defensive response.

The platform, which had already been activated in the early months of 2019 in an experimental phase and is composed of various elements, including the Client National Transmission of Indicators of Compromise (CNTI), has therefore entered its pilot phase, after which the project will be improved by also expanding the user base. Greater ease of use of the service will also be guaranteed, which can be included in the technological processes dedicated to the governance of corporate security.

Thanks to this system, Italy will also be able to have a prompt response to cyber attacks whether they come from individuals, local or national organizations, conventional or non-linear threats.

2Intelligence Glossary. The Language of Information Organizations, P. 40.

3 Piscopìa S., Setti S., Cyber ​​espionage: International Law profiles, Eurilink University Press, Rome, 2021, p. 210.

4 Ibid.

5APT Threat: What Are Advanced Persistent Threats, How Do They Work, and How to Defend Yourself?, Cybersecurity360, https://www.cybersecurity360.it

6 Marcialis M., The streets of violence, Colorado Noir, Mondadori, 2006, p. 51.

7 Fusani C., Equalize, eight hundred thousand spied on, the servers in Lithuania and the trail that leads to Russia, Tiscali News, 2910/2024. https://notizie.tiscali.it/politica/articoli/equalize-ottocentomila-spia....

8Dag, Cornelli's company has invoiced 224 thousand euros in a year and a half, Reggio Sera, 27/10/2024. https://www.reggiosera.it/2024/10/dag-la-societa-di-cornelli-ha-fatturat...

9 Venia G., Dossieraggio, the papers of the Milan investigation: Sergio Mattarella's account also hacked, Rai News, 27/10/2024.https://www.rainews.it/video/2024/10/dossieraggio-le-carte-dell-inchiest....

10Dossiers on Russian oligarchs emerge: there is also the man who bought Fusillo's assets, The Gazzetta del Mezzogiorno,

29 / 10 / 2024.  https://www.lagazzettadelmezzogiorno.it/news/primo-piano/1571949/spuntan....

11 D'Amato A., The Mossad, the Vatican, money to spy on employees: Equalize's business with companies and secret services, Open, 30/10/2024. https://www.open.online/2024/10/30/equalize-eni-mossad-vaticano-soldi-az....

12 Soglio A., From Striano to the Milan investigation: 2024 is the year of dossiers, Italian Affairs, 28/10/2024. https://www.affaritaliani.it/cronache/dossier-inchiesta-milano-dati-stri....

13 Intelligence Glossary. The Language of Information Organizations, PCM-SISR, 2019, p. A.7

14 With Legislative Decree 18 May 2018, n.65, published in the Official Journal n. 132 of 9 June 2018, Italy implemented, by transposing it into national law, Directive (EU) 2016/1148, the so-called NIS Directive.