Cyber Incident Victim: Caremar

On or around April 13, 2023, a threat actor advertised a dataset allegedly belonging to the Italian ferry company Caremar for sale on the Russian-language cybercrime forum XSS. Caremar, formally known as Campania Regionale Marittima, is an Italian shipping company. It was originally a subdivision of the state-owned Tirrenia di Navigazione until 2009, when it was transferred to the regional government of Campania. In 2012, ownership passed to the Mediterranean Shipping Company, and finally, following a privatization procedure, it was sold on July 16, 2015, by the Campania Region to a consortium of companies comprising SNAV SpA and RIFIM SpA. The company, founded in 1975, operates passenger and cargo maritime links in the Gulf of Naples, connecting the seven major ports of the Gulf.

The advertisement was posted on the XSS forum, a prominent and professional hacking forum within the international dark web community. The forum was initially established as DaMaGeLaB in 2013. After the arrest of one of its administrators in 7, it underwent a rebranding process and reemerged as XSS in September 2018. The forum is administered by a Russian individual and its primary user base is Russian-speaking. It is known for hosting discussions on illicit topics and is utilized by Advanced Persistent Threat (APT) groups, including ransomware operators like Lockbit, REvil, Avoslocker, EternityTeam, Babuk, and Darkside. These groups use the platform to stay informed about the latest tools, techniques, and vulnerabilities, to conduct public relations activities, and to recruit affiliates for their Ransomware-as-a-Service (RaaS) programs. XSS also functions as a trading platform for illicit digital goods related to hacking and financial fraud, including the sale of leaked databases, custom malware, hacking tools, zero-day vulnerabilities, and network access sold by Initial Access Brokers (IABs). Access to the forum's content requires a registered and approved account, with certain restricted sections available only through a paid premium subscription.

The threat actor responsible for the advertisement on XSS included samples of the data purportedly stolen from Caremar. These samples were presented to demonstrate that the compromise of the company's computer systems had been successful and to lend credibility to the offer. The samples were described as containing customer information, indicating that the breached data likely included personally identifiable information belonging to Caremar's clients. The actor stated that interested buyers should contact them privately to negotiate the purchase of the full dataset. The exact volume of data and the specific systems compromised were not detailed in the public advertisement.

The public discovery of this incident was reported by Red Hot Cyber, a project and open-news network focused on information technology and cybersecurity, which began in 2019. The publication monitors cybercrime forums and sources for such activity. In its reporting, Red Hot Cyber noted it would continue to monitor the situation for further substantial developments and expressed willingness to publish any official statement provided by Caremar regarding the incident. At the time of the initial report, no public statement or response from Caremar was included, and the company's official website remained operational, displaying standard information about its history and operations without any visible notice concerning a security breach. The immediate impact of the incident was the potential exposure of customer data and the reputational damage associated with such a breach being advertised on a notorious cybercrime forum. The secondary impact involved the risk of the data being purchased and subsequently exploited for further criminal activities, such as targeted phishing campaigns, identity theft, or financial fraud against the affected individuals. The operational impact on Caremar's shipping services, if any, was not immediately apparent from the available information. The specific methods used by the attackers to gain initial access to Caremar's systems, the duration of any unauthorized access, and the exact extent of the data exfiltrated were not publicly disclosed in the forum post or the subsequent news article. The incident underscores the ongoing threat posed by cybercriminal actors targeting transportation and logistics sectors, with the goal of monetizing stolen sensitive information through underground marketplaces. The involvement of a forum like XSS indicates a professional-level threat actor or group seeking to profit from the intrusion. The response actions taken by Caremar internally, such as initiating an investigation, engaging incident response firms, or notifying relevant data protection authorities, were not detailed in the source material. The chronology of the attack prior to its public advertisement on April 13, 2023, remains unknown, including the date the systems were first compromised. The incident highlights the continued targeting of regional European companies by cybercriminals who operate on well-established platforms that facilitate the exchange of hacking-related knowledge and the sale of illicit goods.