Cyber Incident Victim: Ministero della Difesa
Date:
Jul 2018
Location:
Italy
Summary
A Kremlin-linked cyber-espionage group known as APT28 conducted a multi-stage malware campaign targeting the Italian military, specifically referencing the Marina Militare through a command-and-control server named "marina-info.net." The attack involved a Delphi-based dropper and an updated variant of the X-agent backdoor, designed to activate under specific conditions such as matching IP ranges associated with the victim organization. Researchers attributed the operation, nicknamed "Roman Holiday" due to its timing and focus on Italian entities, to the Russian state-backed group, which has a history of targeting governments and militaries globally. The campaign exhibited characteristics consistent with APT28's broader cyber-espionage activities, including tailored infrastructure and malware previously linked to the group.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 4 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In mid-July 2018, cybersecurity researchers from Z-Lab at CSE Cybsec uncovered a cyber-espionage campaign targeting the Italian military, attributing the activity to the Russian state-linked threat group APT28 (also known as Fancy Bear). The campaign, nicknamed "Roman Holiday" due to its timing during summer and focus on Italian entities, employed a multi-stage attack chain beginning with a Delphi-written dropper malware. This initial payload delivered an updated variant of the X-agent backdoor, a malware family historically associated with APT28 operations. Researchers identified a malicious DLL file within the infection chain that communicated with the command-and-control server "marina-info.net," a domain name referencing the Italian Navy (Marina Militare). Analysis suggested this DLL might only activate under specific conditions, such as when detecting systems within predetermined IP address ranges associated with target networks. The campaign's infrastructure and malware characteristics indicated deliberate targeting of the Marina Militare and its subcontractors. Z-Lab collaborated with independent researcher Drunk Binary to analyze malware samples discovered in the wild, subsequently uploading them to VirusTotal for broader community access. The researchers published a detailed technical report documenting indicators of compromise and malware behavior, though specific details regarding the initial infection vector or the full scope of compromised systems remained undisclosed publicly.
APT28, active since at least 2007 and identified by Western intelligence agencies as operating under Russian military intelligence (GRU), has a documented history of targeting governments, militaries, and political organizations globally. Prior operations included attacks against the German Bundestag, French television network TV5Monde, and the 2016 U.S. Democratic National Committee hack-and-leak campaign. In late 2017, the group shifted focus toward Asian nations like China, Mongolia, South Korea, and Malaysia, employing tools such as SPLM and Zebrocy. The "Roman Holiday" campaign marked a return to targeting European entities, specifically Italy's defense sector. The disclosure coincided with U.S. indictments against alleged GRU operatives for election interference activities, though no direct legal connection was made to the Italian campaign. Researchers noted the operation's alignment with APT28's persistent objective of gathering strategic intelligence from military and governmental entities, leveraging tailored malware and infrastructure designed to evade detection within specific target environments. Technical analysis confirmed the use of evolved X-agent capabilities but did not reveal public information regarding data exfiltration or specific operational impacts on the Italian military.