Cyber Incident Victim: CONATECO

On or around June 3, 2023, the cybercriminal group known as DarkRace publicly claimed responsibility for a cyberattack targeting the Italian company CONATECO, formally known as Consorzio Napoletano Terminal Containers. The group made this announcement by posting a claim of attack on its Data Leak Site (DLS), a platform hosted on the onion network within the darknet. According to the claim published on this site, the threat actors successfully exfiltrated approximately 46 gigabytes of data from the company's IT infrastructure. The attackers also provided a description of the victim organization, noting that CONATECO, founded in 1995, was the largest terminal in the port of Naples and the fourth largest in Italy, with a geographically favorable position in the heart of the Mediterranean that placed it amid major international trade routes.

Following the attack and its public claim, the CONATECO website became inaccessible. Visitors attempting to reach the site's homepage were met with a message stating "Sito in manutenzione," which translates to "Site under maintenance." Further attempts to access any sub-pages or specific content on the website resulted in HTTP error 404 messages, indicating that the pages were not found. This complete unavailability of the web presence was a direct and immediate impact of the incident, disrupting the company's public-facing operations and online services. The group DarkRace, while having a name similar to the British cybersecurity company Darktrace, is identified as a distinct ransomware operation.

The incident aligns with the common tactics, techniques, and procedures associated with ransomware attacks. Ransomware is a type of malicious software designed to encrypt data on a victim's systems, rendering them inaccessible. Attackers then demand a ransom payment, typically in cryptocurrency, in exchange for the decryption key needed to restore access. Furthermore, the act of exfiltrating data prior to encryption introduces the threat of double extortion. In this model, if the victim refuses to pay the ransom to decrypt their systems, the attackers threaten to publish or sell the stolen sensitive data, thereby increasing the pressure to comply. The public claim on a dedicated data leak site is a standard component of this double extortion strategy, serving as proof that the attackers possess the data and as a platform for its eventual release should their demands not be met.

The specific ransomware variant used in the attack or the initial attack vector, such as a phishing email or exploitation of a software vulnerability, was not detailed in the public claim. Similarly, the exact nature of the 46 gigabytes of exfiltrated data was not specified, though its theft implies it likely contained information sensitive to the company's operations. The immediate response action taken by CONATECO appeared to be the taking offline of its website, presenting a maintenance message to visitors. This is a common containment measure to prevent further unauthorized access, investigate the breach, and work on remediation efforts away from public scrutiny. There was no immediate public statement from CONATECO confirming the attack or providing further details on the scope or impact beyond the website's downtime.

The broader context of such attacks involves the Ransomware-as-a-Service (RaaS) model, which was referenced in the reporting on the incident. In a RaaS operation, the developers of the ransomware create the malware and maintain the infrastructure for payments and data leaks, then lease it to other criminal affiliates who carry out the actual attacks. This business model lowers the barrier to entry for cybercriminals and allows for attacks to be executed at a larger scale and more frequently. The public claim by DarkRace on its own data leak site is consistent with groups operating within this RaaS ecosystem. The incident underscores the severe operational and reputational consequences of such attacks, which can include prolonged system downtime, significant financial losses associated with recovery efforts and potential ransom payments, legal and regulatory implications from data breaches, and damage to stakeholder confidence. The full extent of the impact on CONATECO's internal operations and port terminal activities remained unclear from the initial reporting. The cybersecurity news outlet Red Hot Cyber noted it would monitor the situation for further substantive developments and offered the company an opportunity to provide a statement or updates for publication.