Cyber Incident Victim: Comune di Palermo
Date:
Jun 2022
Location:
Italy
Summary
A ransomware attack targeted the municipal government of Palermo, Sicily, disrupting critical services including the official website, police operations systems, and public video surveillance infrastructure. The Vice Society cybercriminal group claimed responsibility, exfiltrating sensitive documents containing citizens' personal health records, identification documents, residency details, and local police sanction reports. Systems were proactively shut down to contain the breach, causing extended outages for parking payment applications and traffic restriction zone access. While initial municipal statements denied ransom demands, the attackers threatened to publish stolen data unless paid. The incident exposed inadequate network segmentation and poor data protection practices, with compromised workstations revealing unsecured sensitive information. Response efforts involved a dedicated IT task force and law enforcement investigations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
On June 2, 2022, starting around 6:00 AM, the municipal systems of Palermo, Italy, experienced a severe cyberattack that disrupted critical infrastructure. The attack compromised the network hosting the city’s official website, the operational command center of the municipal police, and the video surveillance management system. Initial assessments ruled out a DDoS attack, eliminating suspected involvement by the pro-Russian group KillNet. Instead, evidence pointed toward a ransomware incident, though no formal claims or ransom demands were initially reported. Paolo Petralia Camassa, the city’s innovation councilor, confirmed the systems were proactively shut down and isolated to contain the breach, describing the situation as "serious." This manual shutdown rendered the website inaccessible and disabled services like limited-traffic-zone (ZTL) gates, parking payment apps, and public surveillance cameras. The city’s IT provider, SISPI, initiated recovery efforts, working to rebuild damaged network components. Authorities filed reports with the postal police and the prosecutor’s office, citing concerns over potential exposure of sensitive citizen data stored in demographic and tax management systems. No evidence of data encryption or theft was initially confirmed.
By June 9, the cybercriminal group Vice Society claimed responsibility for the attack, escalating it to a confirmed ransomware incident. The group threatened to release stolen internal data unless a ransom was paid within three days. Palermo’s administration officially acknowledged the ransomware nature of the attack via a Twitter statement, emphasizing containment measures while assuring continuity of demographic services. On June 12, Vice Society published a first batch of exfiltrated documents, revealing extensive personal data breaches. Compromised files included private health records, identity documents, local police violation reports, driver’s licenses, and residential addresses of Palermo citizens. The data originated from internal workstations, suggesting inadequate cybersecurity practices across municipal departments. The stolen folders contained months of records, with each file corresponding to individual sanction reports containing identity scans. While specific documents were withheld for privacy reasons, the breach highlighted systemic vulnerabilities in data handling. Recovery efforts remained ongoing, with SISPI’s task force focused on restoring services, though disruptions persisted. The incident underscored unresolved risks to public-sector data infrastructure, particularly the storage of highly sensitive citizen information.