Cyber Incident Victim: Unione di Comuni Colli del Monferrato
Date:
Apr 2021
Location:
Italy
Summary
The Avaddon ransomware group conducted a cyber attack against an Italian municipal union, exfiltrating and publishing sensitive data while mistakenly targeting an unrelated entity with a disruptive DDoS attack. Attackers initially misidentified the victim in their public posts and included documents from an unrelated municipality, later correcting the listing but continuing to DDoS the wrong organization. The incident compromised operational systems involved in COVID-19 scheduling and public health services, exacerbating disruptions during a critical period. Avaddon's operational errors included persistent targeting inaccuracies and the public exposure of irrelevant data alongside the victim's stolen information.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 3 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Avaddon ransomware group executed a cyber attack against the Unione di Comuni Colli del Monferrato, a union of municipalities in Italy’s Asti province, around April 2021. On April 25, Avaddon published screenshots of data allegedly stolen during the attack but erroneously identified the victim as "Unione dei Colli DiVini in the heart of Monferrato," a separate entity. The group also launched a distributed denial-of-service (DDoS) attack against unionecolledivini.at.it, the website of the incorrectly named Unione dei Colli DiVini, compounding their targeting error. Further compounding the confusion, Avaddon’s leaked data included documents originating from Cisliano, a municipality in the Milan metropolitan area unrelated to the Asti region’s municipal unions. Security researcher Marco A. De Felice documented these discrepancies, noting the attackers’ apparent lack of familiarity with Italian administrative geography.
Following De Felice’s public reporting of the errors on April 25, Avaddon revised their data leak site within hours, changing the victim’s name from "UNION OF THE DIVINE HILLS IN THE HEART OF MONFERRATO" to "MUNICIPALITY OF VILLAFRANCA D’ASTI." However, they failed to halt the ongoing DDoS attack against unionecolledivini.at.it, despite the corrected listing acknowledging Villafranca d’Asti and Baldichieri d’Asti as the actual affected municipalities under the Unione di Comuni Colli del Monferrato (collidelmonferrato.at.it). The stolen data, which remained publicly exposed by Avaddon, included documents related to COVID-19 scheduling and public health operations, indicating disruption to critical municipal services. The incident highlighted operational deficiencies within the ransomware group, including prior instances of misidentifying victims in other attacks. No information was provided regarding whether the Unione di Comuni Colli del Monferrato received extortion demands or whether any systems were successfully decrypted post-attack. The DDoS attack against the wrong entity persisted despite public scrutiny of Avaddon’s errors.