Cyber Incident Victim: AECO

On or around May 3, 2023, the Italian sensor manufacturing company AECO was compromised in a cyberattack claimed by the BlackCat/ALPHV ransomware operation. The group publicly announced the attack on its data leak site (DLS), initiating a 72-hour countdown for the company to meet its demands before the threatened publication of stolen data. The attackers did not disclose the specific volume of data exfiltrated but published a sample of the stolen files to prove the compromise and increase pressure on the victim. The sample files were accessible through the Tor network, making them available to anyone with the basic knowledge to use the Tor Browser, not just skilled threat actors.

The public announcement on the DLS included a warning aimed at AECO's business partners, stating that working with the company could be dangerous for their business. BlackCat characterized AECO as Italy's most insecure sensor company, claiming it possessed a massive number of vulnerabilities that led to the leakage of confidential customer and partner data. The types of data listed as exfiltrated included financial and accounting documents, databases, confidential client and partner documents, contracts, and a significant amount of engineering information. The group threatened that all critical company data would be published in the public domain and sold on the dark web for monetization if their demands were not met. They also threatened to send internal business information to AECO's competitors.

AECO is an Italian company founded in 1978 and based in Inzago. It designs and manufactures sensors for automation, offering approximately 5,000 standard products and also creating custom electronic sensors and equipment based on client requests. The company operates with a commercial organization supported by agents and representatives across Italian regions and in over 50 foreign countries. Its business involves significant research and development efforts conducted by highly specialized personnel, with all production taking place at its Inzago facility. The attack therefore threatened not only its financial and internal data but also its proprietary engineering and design information, which is a central point of its business strength.

The threat actor, BlackCat/ALPHV, is a ransomware-as-a-service (RaaS) operation first identified by security researchers from Recorded Future and MalwareHunterTeam around late 2021. The group is notable for being the first major ransomware operation written in the Rust programming language, which is considered more secure than C or C++. Security analyst Michael Gillespie described BlackCat as a "very sophisticated" piece of malware. The group operates an affiliate program advertised on clandestine cybercrime forums, where it recruits other criminals to carry out attacks using its ransomware. Affiliates receive a share of the ransom, typically between 80% and 90%, depending on the total sum extracted from the victims. The ransomware is capable of encrypting data on systems running Windows, Linux, and VMWare ESXi.

The group engages in double extortion tactics, which involve both encrypting the victim's data and exfiltrating it beforehand. The threat to publish this stolen data is used as additional leverage to force a ransom payment. BlackCat/ALPHV is known to have targeted numerous Italian companies and public administrations. The group manages multiple data leak sites, with a theory suggesting that these sites are hosted by the individual affiliates themselves, which would explain the variety of URLs used for different victims.

The public announcement of the AECO breach included a direct reference to the General Data Protection Regulation (GDPR), warning the company of potential severe sanctions under this law if it failed to protect the data of its customers and partners from disclosure or criminal use. This indicates the attackers were aware of the significant regulatory and financial repercussions a data breach could have on a European company, and they used this knowledge as part of their coercive strategy. The timeline presented was aggressive, with the full publication of data promised to occur after the 72-hour window expired.

As of the publication of the article reporting the incident, there was no mention of an official statement from AECO itself regarding the attack, its impact on operations, or whether the company was engaging with the threat actors. The article noted that the situation would be monitored for further developments and that any official statement provided by the company would be published. The immediate consequences for AECO included the potential for severe operational disruption from any encryption of systems, the reputational damage from the public announcement, and the looming threat of sensitive data being released. The long-term impacts could include financial losses from the incident itself, potential regulatory fines under GDPR for failing to protect customer data, and loss of competitive advantage if proprietary engineering information was disseminated to rivals. The requirement to investigate and recover from the attack would also demand significant resources, potentially involving highly specialized operators for reliable data recovery, a process noted as being difficult and prone to failure, especially in the absence of reliable, isolated backups.