fbpx

Trojans, Disloyal Civil Servants and Organised Crime: How Cyber-Espionage Threatens a State’s National Security

Legal - October 30, 2024

RATs, a particular type of malware, may have been used by members of an illegal spying network that has just come to light in Italy, as part of the investigations that are uncovering the scandal of illegal investigations and the compilation of dossiers on politicians and business and financial figures, their families and friends.

What are Remote Access Trojans (RATs) and how do they work?

A Remote Access Trojan (RAT) is a type of malware designed to give a malicious user full remote access to the infected system. This type of malware is particularly insidious because, once installed, it gives the cybercriminal complete and invisible control over the compromised computer, with the ability to steal data, spy on the user, manipulate files and monitor activity. RATs are usually delivered via phishing techniques, infected emails or drive-by downloads from compromised websites, and often exploit vulnerabilities or careless user behaviour to install themselves.
RATs act as a backdoor, opening a communication channel between the hacker and the target device. These malicious programs are usually configured to evade security solutions: they can disguise themselves as legitimate software or hide in commonly downloaded files, such as documents or applications. Once activated, they allow the attacker to access the camera, microphone, keyboard and data stored on the system, such as login credentials and bank details.
Initially used by individual hackers, RATs have become sophisticated tools for organised cyber crime groups and state-sponsored cyber espionage operations. Some of the best-known RATs include Blackshades, DarkComet and Gh0st RAT, all of which have user-friendly interfaces that make them easy to control remotely by users with limited technical knowledge. RAT attacks are particularly effective because they are difficult to detect, as commands can be disguised as normal system operations.
Using this hacking strategy, the accused broke into the databases of the Italian Ministry of the Interior and other institutions relevant to national security.
Six people were arrested by the Carabinieri of the Nucleo Investigativo di Varese for stealing confidential data and information from various ‘National Strategic Databases’. The stolen information included sensitive data from Sdi, Serpico and Inps, which were exfiltrated for economic and personal purposes. The suspects, who have been placed under investigation, are said to include former police officers, hackers and computer consultants who have set up a network with the aim of creating dossiers that could be used to blackmail or even extort public figures, including high-ranking state officials.
The data extracted by the RAT Trojans was then collected via an aggregator platform developed by the group’s experienced hacker with a history of anonymity; this platform allowed data to be extracted from the SDI (Information System) database.

The importance of the human factor

It is not only Trojans that count, but also the human factor. In its illegal investigative activities, the organisation is said to have used more traditional methods, such as relying on disloyal civil servants, corrupt policemen and, according to journalistic reports on the investigation, the involvement of at least one magistrate, while in some wiretaps the protagonists even boasted of links to the secret services. This is not uncommon in the world of private investigation, where information is obtained in the traditional way, but the human factor is also important in illegal cyber activities, because very often one of the best ways to introduce malware into a system is to physically ‘inject’ it into one of the computers in the network to be attacked, relying on corruptible employees with access to the terminals, or leaving pen drives lying around that, when accidentally inserted by someone, invisibly download the malicious code into the computer and start to infiltrate the whole system. The human factor also plays a role when, as this investigation shows, computer maintenance companies are able to infiltrate the systems used by government departments and law enforcement agencies, or when it is necessary to turn to other groups of hackers who are able to do the work of updating the keys in order to “break” back into the institutions’ computer systems, which are constantly being updated. From the corrupt official to the careless employee, via the mismanagement of cyber threat prevention, hacking always walks on the legs of flesh and blood people, and so does cyber security.
The consequences for the democratic resilience of a state attacked by such an organisation are frightening. In the scandal that erupted in Italy, the authorities discovered that these individuals were in possession of a hard drive containing over 800,000 records illegally obtained from law enforcement databases, known as SDI, as well as a huge amount of other confidential data. The intercepts show that the group allegedly misused the email address assigned to President Mattarella for unknown but certainly worrying purposes. The hacked databases include strategic information held by the police, the Agenzia delle Entrate and Bankitalia, according to RAI News. The data was allegedly sold to Equalize’s clients or used to blackmail businessmen and politicians in a practice that, according to prosecutors, dates back to at least 2019 and continued until March this year.
However, the risks to national security posed by illegal cyber activities are not limited to the packaging of dossiers for the purposes of blackmail, extortion or profiting from their sale to foreign intelligence services.

Recent attacks and vulnerabilities of European infrastructures

In recent years, European states have suffered a series of cyber attacks that have highlighted the vulnerability of their critical infrastructure and the growing role of hackers in compromising national security. These attacks, often attributed to cybercriminal groups or state-sponsored entities, have had a significant impact on both government structures and strategic industrial sectors. The following are some of the most significant cases.
Attack on Germany (Bundestag) – 2015
In 2015, Germany suffered one of its most serious cyber attacks when hackers believed to be linked to the Russian group APT28 (also known as Fancy Bear) targeted the Bundestag, the German parliament. The hackers infiltrated the parliamentary computer system and stole 16 gigabytes of data, including confidential emails from several MPs, including Chancellor Angela Merkel. The attack sparked a heated debate in Germany about the need to strengthen the country’s cyber defences and establish preventative measures to avoid future breaches.
WannaCry – May 2017
In May 2017, the WannaCry ransomware attack disrupted several European countries and affected critical infrastructure, including the UK’s healthcare system (NHS). The attack encrypted thousands of computers around the world, forcing hospitals and health services in the UK to cancel surgeries, postpone appointments and operate under emergency conditions. The attack exposed the fragility of critical infrastructure and the inability of many systems to continually update their defences, even in the face of known vulnerabilities. Although WannaCry wasn’t an attack specifically targeting national security, its impact was devastating and highlighted the importance of protecting healthcare infrastructure and other vital sectors.
Ukrainian power grid attack – December 2015 and 2016
Although Ukraine is not a member of the European Union, the attack on its power grid in 2015 and 2016 was a wake-up call for European states. In December 2015, hackers allegedly linked to Russian groups managed to compromise Ukraine’s power grid, leaving around 230,000 people without electricity for several hours. This attack, the first of its kind on a power grid, prompted other European states to assess the security of their own energy infrastructure. The repetition of the attack in 2016 reinforced fears of coordinated attacks on large-scale critical infrastructure, and highlighted the need for international cooperation to address these threats.
SolarWinds and the risk to Europe – 2020
The SolarWinds attack revealed in December 2020 also had an impact in Europe. Although the operation was mainly targeted at the US, several European countries and multinationals used the compromised software, making them vulnerable to infiltration. The attack was attributed to the Russian hacking group APT29 (also known as Cozy Bear) and involved compromising computer systems by inserting malicious code into the update patches of the SolarWinds Orion IT management software. This attack also raised serious concerns about the security of digital supply chains in Europe, demonstrating how vulnerabilities in third-party software can pose a risk to national security.
Attack on the Irish Health Service (HSE) – May 2021
In May 2021, the Irish Health Service (HSE) was the victim of a ransomware attack by the Conti criminal group, known for extortionate cyber attacks. The attack crashed the computer systems of several hospitals and health services, forcing the Irish government to temporarily suspend several essential public health services. This event highlighted that even smaller countries such as Ireland can be targets of high-profile attacks, particularly in the most sensitive sectors. The Irish government had to allocate significant resources to restore services and improve the health system’s cyber defences.

These cases show that cyber threats to Europe’s critical infrastructure are becoming increasingly complex and frequent. Breaches of national security by hackers are not just about data theft or political sabotage, but can threaten essential services for citizens, such as healthcare and energy. European states are responding by strengthening their defences and increasing cooperation, but the changing threat landscape requires increasingly sophisticated and adaptable preparedness.