The alarm went off shortly after 9 a.m. when first one, then two, and so on, some of Trenitalia’s ticket office computers began to crash. A cyber attack – one of the more traditional kind, a virus that takes data hostage and inhibits access – hit the Italian railways on March 23. Thoughts immediately went to the war in Ukraine and the alerts our Information Security Agency had raised in recent days. In the late evening, however, when everything was still very unclear (as always happens in these cases), the investigators, and also Trenitalia itself, were more serene: there was no element that could suggest a terrorist attack or an attack by a foreign state. No attempt to attack the network, as happened for example in Russia. Rather, it was a classic cryptolocker attack: encrypted sensitive data in exchange for a ransom. Fortunately, the blocked data seems scarce and not very valuable, so much so that all services could be restored as early as today. “We thought an airplane had crashed and instead, thankfully, it looks like a moped accident,” smiled one of the men busy figuring out what the hell had happened. A moped, however, that made a lot of noise.
Trenitalia ticket offices and self-service stations were blocked. An urgent and emergency measure taken by the company after seeing the first locked computers, with the goal of securing the system and avoiding more serious problems. The ransomware used should be that of Hive, so much so that in the afternoon the hacker group published some chats (probably false) in which they asked Trenitalia for a ransom of five million. A ransom, they say from the “Ferrovie” that however has never been solicited, much less paid.
As mentioned, some terminals of the sales network were attacked. It’s too early to say what the gateway was. What is certain is that Trenitalia is a client of one of the main Italian software houses, which for a year has been at the center of one of the biggest computer attacks in the history of our country. It is probably a vehicle for other sensational intrusions against other important companies. However, the decision to immediately disconnect the computers seems to have limited the damages (even if not the inefficiencies: it was difficult to get a ticket for a train). Also because, the company assures, at the moment it is excluded the hypothesis that the virus had also entered the programmers’ machines, a circumstance instead accredited by some sources and that would have endangered the entire network. But who carried out the attack? “At present, there are no elements that allow us to trace the origin and nationality of the attack,” says Ferrovie. The type of ransomware is also used by Russian hacker groups. But always for extortion reasons. What’s more: the nature and extent of the attack suggest that the hackers had been inside Railways computers for months, certainly before the Russian attack in Ukraine. In any case, the agents of the Postal Police, led by Ivano Giannini, and the experts of the Cybersecurity Agency, are at work. While the Democratic Party, with Enrico Borghi, announces a bill on cyber attacks.