Cyber Incident Victim: Azienda Trasporti Milanese
Date:
Feb 2019
Location:
Italy
Summary
Hackers targeted Milan's public transport operator by breaching its security systems, compromising passwords and deploying malware to block legitimate access—even with updated credentials. The intrusion likely aimed at subway camera software managing sensitive turnstile and platform access data, potentially to manipulate or delete specific recordings for illicit purposes like alibi fabrication. Investigations led by postal police faced significant challenges due to sophisticated obfuscation techniques, requiring external cybersecurity expertise to bypass digital barriers. While no terrorist involvement was initially detected, the scope of compromised or altered data remained unclear, causing operational concerns. This incident contrasted with prior internal fraud involving cloned "ghost tickets" but represented a more advanced external threat to critical infrastructure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The incident targeting Azienda Trasporti Milanesi (ATM) began around February 18, 2019, when unauthorized actors breached the transport company's digital systems. Initial speculation about attackers attempting to circumvent Milan's upcoming Area B traffic restrictions proved incorrect during early investigations. Forensic analysis revealed hackers compromised ATM's security credentials through password violations and deployed malware designed to block legitimate access attempts—including those using newly reset passwords. This sophisticated attack completely obscured system activities, preventing ATM's internal security teams from monitoring or regaining control of compromised infrastructure.
Postal police led by Salvatore La Barbera initiated an investigation after ATM management formally reported the intrusion early that week. Investigators determined the attackers specifically targeted software managing internal metro surveillance cameras, which process sensitive transit data including turnstile entries and platform movements. While this data lacked direct criminal relevance, authorities explored whether manipulation or deletion of specific transit records could facilitate alibi creation or conceal other illicit activities. The attackers employed advanced obfuscation techniques that stalled progress until external cybersecurity consultants were engaged to bypass electronic barriers. ATM experienced significant operational disruption and uncertainty regarding which data had been altered, deleted, or compromised. This marked a departure from prior ATM fraud cases involving cloned "ghost tickets" orchestrated internally for profit, as the current breach exhibited professional-grade tradecraft against critical infrastructure. No counterterrorism units were involved as of the investigation's initial phase, though the full scope and motive remained undetermined during the evidence collection period.