Cyber Incident Victim: Leonardo S.p.A.

Between 2015 and 2017, unidentified threat actors conducted a cyberattack against Leonardo S.p.A., an Italy-based multinational defense contractor partially owned by the Italian Ministry of Economy and Finance. The attackers deployed malware disguised as 'cftmon.exe,' a filename chosen to mimic the legitimate Windows system file 'ctfmon.exe' located in the C:\Windows\system32 directory, thereby evading initial detection. Infection vectors involved physical compromise via USB storage devices, which were used to propagate the trojan across 94 internal workstations within Leonardo's network. Once installed, the malware operated covertly for approximately two years, systematically exfiltrating sensitive data. Stolen information included military secrets and confidential corporate documents totaling 10 GB in volume, transmitted to a command-and-control (C2) server hosted at the domain 'fujinama.altervista.org.' The prolonged duration of unauthorized access allowed extensive data collection without triggering security alerts.

Italian law enforcement agencies, including the Polizia di Stato, eventually identified the C2 infrastructure and seized control of the 'fujinama.altervista.org' server, replacing its content with an official seizure notice. On December 5, 2020, authorities arrested two individuals allegedly responsible for orchestrating the intrusion and data theft. Forensic investigations confirmed the malware's functionality and its two-year operational timeline matching the data exfiltration period. The breach compromised national security interests due to Leonardo's role as a major supplier of defense systems to Italy, the UK, and the US. No public disclosures indicated whether stolen data was weaponized or sold, though the arrest operation demonstrated law enforcement's ability to attribute and act upon digital evidence years after initial intrusion.