Cyber Incident Victim: Agenzia delle Entrate
Date:
Jul 2022
Location:
Italy
Summary
A ransomware attack targeted the Italian tax agency, with the LockBit group claiming responsibility for stealing 78 GB of data and issuing a five-day ultimatum to prevent public release. Investigations by the Postal Police and internal IT specialists initially found no evidence of a direct breach, suggesting compromise may have occurred through a user account rather than systemic infrastructure vulnerabilities. LockBit published screenshots purportedly showing exfiltrated data, leveraging double extortion tactics typical of ransomware operations—demanding payment under threat of both data encryption and public disclosure. The agency engaged SOGEI, its technology provider, for forensic analysis while judicial authorities opened an inquiry. The incident highlighted concerns over data security protocols amid ongoing verification efforts to confirm the breach's scope.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around July 1, 2022, the Italian Revenue Agency (Agenzia delle Entrate) became the target of a cyberattack claimed by the LockBit ransomware group. The group announced the attack on dark web forums, asserting it had exfiltrated 78 gigabytes of data through malware and issued a five-day ultimatum threatening public release of the stolen information unless unspecified demands were met. The Rome Prosecutor’s Office opened an investigation following the disclosure, coordinating with the Italian Postal Police (Polizia Postale) and the agency’s internal IT specialists to verify the claims. Initial technical examinations reportedly found no conclusive evidence of a breach at that stage, though forensic analyses remained ongoing. LockBit published screenshots purportedly demonstrating access to the agency’s systems, which investigators analyzed to assess the breach’s scope and methodology.
Preliminary assessments by cybersecurity experts suggested the attackers compromised a user account rather than directly infiltrating the Agenzia delle Entrate’s core infrastructure. The agency formally requested SOGEI—the Ministry of Economy and Finance’s public technology provider managing its IT systems—to conduct urgent verifications and clarify the incident’s technical details. LockBit, identified as a globally active ransomware operation, employed a double-extortion tactic: encrypting victim data while threatening to leak stolen information unless ransoms were paid in cryptocurrency. The group’s modus operandi aligned with this pattern, though no explicit ransom demand or payment outcome was disclosed in available reports. Investigations continued to determine the validity of LockBit’s data theft claims and the potential exposure of sensitive information.