Cyber Incident Victim: DarkRace

On or around June 3, 2023, the cybercriminal gang known as DarkRace publicly claimed responsibility for a cyberattack targeting the Italian company CO.NA.TE.CO. (Consorzio Napoletano Terminal Containers). The group made this announcement by posting a claim of attack on its dedicated Data Leak Site (DLS), which is hosted on the onion network within the darknet. The announcement served as the primary public evidence of the incident, detailing the gang's actions and intentions. According to the claim published by DarkRace, the attackers successfully exfiltrated approximately 46 gigabytes of data from the company's IT infrastructure. The data theft represented a significant compromise of the company's digital assets, though the specific nature and sensitivity of the stolen files were not itemized in the public claim.

DarkRace's post included a descriptive profile of the victim company, indicating they had researched their target. The description characterized CO.NA.TE.CO. as having been founded in 1995 and identified it as the largest terminal in the port of Naples and the fourth largest in Italy. The attackers also noted the company's strategic geographical position in the heart of the Mediterranean, placing it in the midst of international trade routes and making it a key link between Northern and Southern Europe. This inclusion suggested the attack was targeted, with the gang potentially viewing the company as a high-value victim due to its role in critical infrastructure and logistics.

Concurrently with the claim appearing on the darknet, the public-facing website of CO.NA.TE.CO. became inaccessible. Visitors attempting to access the site were met with a message stating "Sito in manutenzione," which translates to "Site under maintenance." Further attempts to navigate to any subpages on the domain resulted in HTTP 404 errors, indicating that the pages were not found. The simultaneous timing of the darknet claim and the website's outage strongly suggests the two events were directly related, with the website disruption being a direct consequence of the cyberattack. The specific cause of the website outage—whether it was due to defensive measures taken by the company, destructive actions by the attackers, or a combination of both—was not explicitly detailed in the available reporting.

The incident exhibited the hallmarks of a ransomware attack, though a direct ransom demand was not publicly documented in the source material. DarkRace operates under a ransomware-as-a-service (RaaS) model. This business model involves developers creating the ransomware tools and infrastructure, which are then leased to other criminal affiliates who carry out the attacks. The core technique involves infiltrating a victim's network to deploy malware that encrypts files and data, rendering systems and information unusable. The attackers then demand a payment in cryptocurrency in exchange for the decryption key. A common secondary tactic, known as double extortion, involves exfiltrating sensitive data prior to encryption. The attackers then threaten to publish or sell this stolen data if the victim refuses to pay the initial ransom. DarkRace's claim of having stolen 46GB of data strongly indicates the double extortion tactic was a key component of this attack, providing them with additional leverage against the company.

The name DarkRace bears a similarity to Darktrace, a separate and unrelated British cybersecurity company founded in 2013 and headquartered in Cambridge, England, which is publicly traded on the London Stock Exchange. This naming coincidence was noted but was presented as a point of information rather than suggesting any connection between the criminal group and the legitimate security firm.

Public reporting on the incident did not include an official statement from CO.NA.TE.CO. at the time of the initial disclosure. The article noted that the publication offered the company the opportunity to provide an update or statement on the situation, with an offer to publish any provided information in a subsequent article. The ultimate response from the company, including any internal investigation, communication with stakeholders, or engagement with law enforcement or incident response professionals, was not covered in the provided source material. The technical response to restore the website from the "under maintenance" state was also not detailed, leaving the duration of the outage and the specific recovery actions undertaken unclear.

The impact of the incident was twofold. The primary immediate operational impact was the disruption of the company's public online presence, taking its website completely offline and likely hindering external communications and business operations that relied on it. The secondary, and potentially more severe, impact was the confirmed compromise and theft of a substantial volume of internal company data. The exposure of this data could lead to significant financial, reputational, and legal consequences, depending on its content. The attackers gained access to and copied 46GB of information from the company's IT infrastructure, representing a major breach of confidentiality. The full scope of systems affected beyond the web server, such as internal networks, databases, or employee workstations, was not specified in the gang's public claim or the subsequent reporting.

The article contextualized the attack within the broader landscape of ransomware threats, explaining that such infections can be devastating for organizations. Data restoration is described as a difficult and laborious process that requires highly specialized operators for a reliable recovery. Even with data backups, successful restoration is not always guaranteed, especially if those backups are also connected to the network and affected by the ransomware or if the backups are not sufficiently isolated. The reporting emphasized that cybersecurity is a serious matter capable of profoundly undermining a company's business, advocating for a shift in mentality to view cybersecurity as an integral part of business operations rather than a concern only after a security incident has occurred. The narrative of the CO.NA.TE.CO. attack serves as a concrete example of these broader threats materializing for a company operating within a critical sector.