Cyber Incident Victim: Lolaico Impianti

On or around May 18, 2023, the Trigona ransomware group publicly claimed responsibility for a cyberattack targeting the Italian engineering and construction firm Lolaico Impianti. The criminal group announced the attack via a post on its data leak site, which served as the primary method of communication and extortion. In this post, Trigona explicitly stated its intent was not to provide a decryption key in exchange for a ransom payment, as is typical in many ransomware operations. Instead, the group's objective was to directly sell the data it had exfiltrated from the company's internal IT infrastructure to the highest bidder. The asking price for this stolen data was set at $100,000.

The attackers provided samples of the exfiltrated information to lend credibility to their claims and to entice potential buyers. The data samples were presented as proof that they had acquired sensitive corporate information. In their public justification for the attack and the subsequent sale, Trigona crafted a message aimed at potential purchasers of the data. The message characterized Lolaico Impianti as one of Italy's leading engineering and construction companies, founded in 1975 by Pietro Lolaico, and noted for its significant growth and recognition for quality services in sectors including energy, petrochemicals, industrial plant engineering, and environmental engineering. The criminal group argued that acquiring this confidential data would provide valuable business intelligence.

The promised information allegedly included the company's strategies, strengths, weaknesses, opportunities, and threats (SWOT analysis). Furthermore, Trigona claimed the dataset contained sensitive information regarding the needs, pain points, motivations, and behaviors of Lolaico Impianti's clientele. The cybercriminals posited that this intelligence could be used by a competitor to create better products and services, target the right potential customers, craft compelling sales proposals, and close more deals. The public announcement served as both an admission of the criminal act and an advertisement for the illicit sale of proprietary corporate and client data.

Based on historical analysis of Trigona's tactics, techniques, and procedures (TTPs) documented in previous incidents, the initial attack vector likely involved the exploitation of vulnerabilities in Microsoft SQL Server. The group has been known to systematically target internet-facing MS-SQL servers that are inadequately secured. The common method of compromise is a brute-force or dictionary attack against the server's authentication mechanism to harvest valid login credentials present on the system. Once the attackers successfully gain access to the server using these compromised credentials, they deploy a specific piece of malware to establish a foothold and escalate their access within the network.

This malware, identified in prior attacks and referred to as “CLR Shell,” is used to execute further commands on the compromised system. The deployment of CLR Shell allows the threat actors to move laterally through the network, elevate privileges, and perform data reconnaissance. The ultimate goals of this activity are to identify, collect, and exfiltrate valuable data from the victim's environment and to deploy ransomware payloads to encrypt systems. While the public claim focused on data theft, it is consistent with Trigona's double-extortion model, where the encryption of files may also have occurred to increase pressure on the victim, though the public announcement emphasized the data sale.

The immediate impact of the incident was the confirmed theft of sensitive corporate information. The compromise involved the exfiltration of internal data, which posed a significant threat to Lolaico Impianti's business operations, competitive standing, and legal obligations. The exposure of internal strategies and SWOT analysis could potentially undermine the company's market position if obtained by competitors. The breach of client information, including details on their needs and behaviors, represented a serious violation of privacy and trust, potentially exposing the company to regulatory scrutiny under data protection laws such as the GDPR, given its Italian and international client base.

The potential consequences outlined in the reporting include severe legal repercussions for anyone involved in purchasing or using the stolen data, as acquiring the confidential information of a legal entity is a cybercrime and violates privacy laws. For Lolaico Impianti, the reputational damage associated with a public data breach could affect client relationships and its standing as a reliable partner in the global market. The company's reputation, built on a commitment to quality and safety standards since 1975, was directly challenged by the announcement that its digital security had been compromised.

In response to the public claim by Trigona, the cybersecurity news blog Redhotcyber provided a platform for Lolaico Impianti to issue a statement, though no official statement from the company was included in the immediate reporting. The monitoring of the situation was announced, with a commitment to publish further news should substantial developments occur. The general response framework discussed in the context of such incidents emphasizes the severe challenges of recovery, particularly if data encryption did occur and backups were unavailable, compromised, or not isolated from the network.

Standard response actions for ransomware infections, as referenced in the general advisory content, involve difficult and labor-intensive restoration processes requiring highly specialized operators. The article notes that recovery is not always successful, even in the absence of a backup, highlighting the potentially devastating nature of such attacks on an organization's operational continuity. The broader response typically involves engaging cybersecurity professionals for forensic analysis, containing the breach by isolating affected systems, and assessing the full scope of the data exfiltration. Legal and regulatory authorities would likely be notified due to the data breach. The primary defensive actions recommended to prevent such incidents include user awareness training, robust and isolated backup plans, consistent software patching, updated antivirus solutions, strict application of the principle of least privilege, disabling email macros, avoiding unsolicited web links, securing Remote Desktop Protocol (RDP) behind a VPN instead of direct internet exposure, and implementing perimeter security controls like Intrusion Prevention Systems (IPS) and Web Application Firewalls (WAF). The strategic implementation of extended detection and response (XDR) platforms, potentially supported by a managed detection and response (MDR) service, is cited as a method to achieve comprehensive protection and visibility across endpoints, users, networks, and applications. The overarching guidance for victims is to avoid paying ransoms, as cyber gangs may not provide decryption keys and restoration operations may still fail, while payment also fuels the criminal ecosystem. The incident underscored the serious business risk posed by cybersecurity threats and the necessity of integrating cybersecurity as a fundamental part of business strategy rather than a secondary consideration after an incident has already occurred.