Cyber Incident Victim: Ministero della Cultura
Date:
Jul 2024
Location:
Italy
Summary
The Italian Ministry of Culture was targeted in a ransomware attack by the threat actor Mad Liberator, which claimed responsibility on its data leak site and published samples of allegedly exfiltrated data, including directories labeled "ACCORDI," "DOCUMENTAZIONE," and "FOTOGRAFIE." The group employs AES/RSA encryption and warned of potential regulatory penalties under frameworks like GDPR, alongside risks of fraud, social engineering, or competitive misuse of stolen information. While the authenticity of the breach remains unconfirmed due to the absence of an official statement from the Ministry, the incident underscores persistent vulnerabilities in public institutions to ransomware threats. Mad Liberator's limited public claims history contrasts with prior attacks on the same entity by other groups like LockBit.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On July 17, 2024, the ransomware group Mad Liberator publicly claimed responsibility for a cyberattack against Italy’s Ministry of Culture, publishing samples of allegedly stolen data on their Data Leak Site (DLS). The group, which describes itself as a global hacker collective aiming to "help companies resolve security issues," stated it had encrypted Ministry files using AES/RSA algorithms without damaging them. Mad Liberator’s DLS post included screenshots listing directories such as "ACCORDI," "DOCUMENTAZIONE," and "FOTOGRAFIE," suggesting potential compromise of agreements, documentation, and photographic archives. File timestamps visible in the leak spanned from 2017 to 2024, indicating possible exfiltration of data across a seven-year period. The group warned that victims could face regulatory penalties under GDPR, CCPA, and POPIA frameworks due to the breach. They further threatened that stolen personal information might be exploited for social engineering attacks, fraudulent activities, or competitive discrimination by rival organizations. This incident followed a prior August 2023 attack on the same ministry by the LockBit ransomware group, though no connection between the two incidents was confirmed. As of July 19, 2024, the Ministry of Culture had not issued any official statements acknowledging the breach or detailing its scope, leaving the authenticity of Mad Liberator’s claims unverified through governmental channels.
Mad Liberator’s operational tactics involve issuing five-day ultimatums to victims before publishing stolen data, though no ransom demand specifics or payment deadlines were disclosed for this case. The group emphasized its independence from other cybercriminal collectives and claimed to implement "great precautions" during encryption to avoid file corruption. Public exposure of the Ministry’s data occurred after the expiration of Mad Liberator’s unspecified negotiation window, aligning with their standard leak protocol. Consequences highlighted by the attackers included potential legal liabilities for the Ministry under international data protection regulations and risks of secondary exploitation by third-party malicious actors. The absence of confirmed restoration efforts, decryption processes, or communication from the Ministry left the operational impact and data recovery status unclear. Mad Liberator’s limited public footprint—with only six total claims listed on their DLS at the time of reporting—contrasted with their aggressive targeting of a high-profile government entity. No evidence emerged regarding actual misuse of the leaked data or secondary attacks leveraging the compromised information. The incident underscored recurring vulnerabilities within Italy’s cultural heritage administration, given the ministry’s second major ransomware incident within a twelve-month period.