The exposure of a massive hacking scandal targeting top Italian officials began with a suspicious email. An employee of Italy's air traffic control authority, Enac, didn't recognize the name of the alleged sender and forwarded the email to a cybersecurity unit of the Italian police last year.
Investigators have been following the trail ever since, peeling back the layers of a cyberespionage operation with alarming proportions.
The police discovered a centralized and systematic attack on the email systems of Italy's central bank, parliament, ministries, companies, labor unions, debt collection companies and law firms. Even the Vatican's servers were compromised.
The scope of the hacking wasn't immediately clear and investigators say their work is still far from over, according to a police spokesman in Rome.
Among the victims of the attack was Mario Draghi, the president of the European Central Bank. Hackers apparently gained access to one of his Italian email accounts. Other victims included former Italian prime ministers Matteo Renzi and Mario Monti, banker and former Banca d'Italia general secretary Fabrizio Saccomanni, the head of Italy's Guardia Di Finanza, a unit of the economics ministry tasked with fighting financial crime, General Saverio Capolupo, and politicians from every political party. Hackers even stole information from a former spokesman for Silvio Berlusconi and the cardinal Gianfranco Ravasi.
The scope of the attack, both in its selection of high-profile targets and the wide net it cast, exposed a criminal system that investigators believe was intended to siphon off information relevant to national security. It showed just how inadequately some digital information is protected from outside influence, not just in Italy but around the world.
Italian prosecutors have said from the beginning that the complicated system of sham companies the suspects used to cover their tracks could not have been established alone.
The perpetrators used a type of malware called "Eye Pyramid," which not only infects the computer of the user who opens the infected file, but all of the other computers in their network. "Eye Pyramid" is capable of reading documents and taking screenshots.
Two suspects were arrested in Rome on Tuesday on charges of violating state security. The two are siblings; he is a 45-year-old nuclear physicist and the managing director of a company that sells financial information; she is 49 and stands accused of trying to delete data from her computer at the time of the duo's arrest. Both are registered in London but live in Rome.
According to authorities, there were 18,327 targeted attacks against Italian computers. In 1,793 cases, passwords were compromised. The suspects hid the data they had stolen in 122 encrypted folders on servers in the United States, organizing them according to keywords such as "politics," "finance" or "freemasons."
The brother is the owner of the financial boutique "Westlands Securities." Speaking through his lawyer on Wednesday, he denied the charges that he had stolen data and engaged in espionage. According to the arrest warrant executed by prosecutors in Rome, "Westlands Securities" has advised the American government on negotiations over infrastructure measures in the port of Taranto - the headquarters of the Ilva steel plant and a major NATO base.
Authorities say their investigation is far from over because the police have yet to gain access to all of the encrypted files.
A breakthrough in the case was only achieved with the help of the Cyber Division of the FBI, and Italian prosecutors have said from the beginning that the complicated system of sham companies the suspects used to cover their tracks could not have been established alone. Authorities are now looking for potential accomplices. The siblings in custody have allegedly been compiling data on high-ranking Italian functionaries for five years.
There's not a company or organization in the world that is 100 percent protected against such attacks. Every system, no matter how sophisticated, has one critical vulnerability: its users. Currently, it's up to users to recognize and delete malicious emails, which isn't always easy.
"The more targeted an attack is, the more difficult it can be to detect it," said Norbert Pohlmann, the director of the Institute for Cyber Security at the Westphalian University of Applied Sciences. "Hackers employ a technique called social engineering, which means they first scope out a victim's environment. Only then do they compose an email, the content of which they can be sure will interest their target.”
Hackers personalize emails and make them appear deceptively genuine. What's more: Once one computer in a network is infected, successive attacks are easier because they can be carried out directly from a colleague's computer.
"We don't really have that good a grip on technology," Mr. Pohlmann said. "To determine who really sent an email, you would have to look at the source code of the email header. But that's not always easy, even for those people who know what they're doing."
History has shown that hacking can be a lucrative endeavor. In the past year, cyber-thieves increasingly used the so-called GozNym Trojan to clean out victims' bank accounts. The malware encouraged recipients of a deceptive email to click on a link that would redirect them to a website that looked identical to that of their bank's online banking platform. By entering their login information, they effectively gave hackers free reign over their accounts.
According to analysis by IBM, 13 banks in Germany have been affected by the GozNym virus. The damage is estimated in the millions of euros, though an exact sum has not been put forward. Clicking on a malicious link doesn't only happen to neophytes, either. Even well-trained executives can fall victim to cyber scams. The amount of money that companies invest to protect themselves is huge. According to a survey by the market research firm Gartner, last year companies around the world spent $81.6 billion (€77 billion) on products and services related to information security. It marked an increase of 7.9 percent over the previous year.
The list of banks that have been affected by hacking is long and includes prominent names such as the ECB, the Bank of China and the Bank of East Asia. One major attack known as "Carbanak" affected more than 100 banks in Russia, the U.S., Japan, Switzerland and the Netherlands. The attack is considered the largest digital heist in history. Estimates place the perpetrators' booty was as high as $1 billion. In February 2016, cybersecurity officials detected an attack on the international payment system Swift.
The political impact that a hacked email account can be huge, as the U.S. election shows. Multiple intelligence agencies in the U.S. have come to the same conclusion that Russia was responsible for hacking the servers of the Democratic National Convention and the email account of Hillary Clinton's former campaign chairman, John Podesta.
According to a declassified intelligence report, hackers gained access to 60,000 of Mr. Podesta's emails, some of which contained sensitive information that was then made public, embarrassing the Clinton campaign and ostensibly influencing the election result.
The White House retaliated against Russia for the hacking by imposing sanctions and ejecting diplomats. The Kremlin denies any wrongdoing.
As if there were any doubt that election tampering is only an American problem, at the end of December, the German Federal Office for Information Security said it expected similar hacking attacks to occur during the country's upcoming federal elections, which are scheduled to take place next fall.
Regina Krieger is Handelsblatt's Italy correspondent. Ina Karabasz is an editor for the companies and markets team, covering telecommunications, IT and security issues. To contact the authors: [email protected] and [email protected]