In March, the Taggia municipality was the target of a databreach caused by ransomware. We analyse some of the evidence found in the leak to understand what could be the most critical aspects.
Basic information
Target: Municipality of Taggia (Province of Imperia, Region Liguria) Date: 11/03/2023 Author: RansomHouse Vector: e-mail with "White Rabbit" ransomware attached
The White Rabbit ransomware was developed by the hacker group Fin8, and is easily recognisable because of the text file that recalls the shape of a rabbit.
For more detailed information, we recommend reading the TrendMicro site page by following this link.
In 2017, the municipality of Taggia had 14,060 inhabitants, so it is a small town that provides a number of essential and important services to its citizens. The data breach involved both file exfiltration and encryption. From the files published on the net, it was possible to analyse a multitude of documents, the main structure of which can be summarised as follows.
Municipality_tagia_im |-Acqueduct |-General_Affairs_Messages |-General Affairs_Protocol |-General_Affairs_Secretariat |Environment |-Environment - Heritage |-Assessors |-DataPeople |-Public Works |-Wealth |-Municipal Police |-Public Education |Municipal Accounting |-Mayor's Secretariat |-Demographic Services |-Social Services |-Social Services |Taxes |Tourism
Particularly indicative is the presence, in some folders, of backup files that would suggest that the server, in addition to information, also housed backup copies of documents, folders and files. In a part of the official statement, released on Facebook by the first citizen Mario Conio, we learn that:
The master server, the virtual machines hosted by it and the online backup media, all located in a dedicated, locked and alarmed CED room, were attacked. All personal computers that remained switched on at the individual workstations were hacked. The initially encrypted data were subsequently stolen and disseminated on the web, violating the privacy of all concerned. It is not possible to determine precisely the types of data stolen, nor the number and categories of persons affected.
What was found
The municipality of Taggia, like other municipalities, has also had a not inconsiderable haemorrhage of files:
- Identity papers - Local police reports - Phototrap images - Images and vehicle number plate information for Telecontrol - Videos of surveillance cameras - Data on fragile subjects from social services - Psychological reports on minors - Psychological diary of patients - Password files in Word documents
Social policies: data from minors and beyond
The archive published by the hackers exposed data concerning the psychological state of minors (e.g. minors in foster care). The social services sector in this respect is critical and holds a lot of very sensitive information.
The presence of notes on the psychological state, together with the documents required to apply for funds financially, makes it possible to identify both the patient and the doctor without any doubt. There are also psychological diaries on elderly people for monitoring diseases such as Alzheimer’s.
Local police: between fines, pictures and videos
As always, another particularly important office is that of the local police command, where much of the information contained is of a special nature. Copies of identity documents add up to complaints, images captured by photo-traps used to combat pollution in the area, and videos from surveillance cameras.
Personal files, passwords, etc.
It is clear that within the stolen folders were found materials such as photographs and personal documents, but also the canonical password files containing credentials for a multitude of services (banks, web portals, etc.).
Protecting information
The Municipality of Taggia is, like others, subject to the need to protect information of a particular nature. It should be noted, with necessary frankness, that information within the municipality has both an internal and an external origin.
If the documentation only had an internal origin, resulting for instance from communication between offices, it would be very easy to protect this information. The fact that there is an exchange between the municipality and other bodies (such as solidarity centres) opens up a greater complexity and difficulty.
Nevertheless, it is clear that everything must be handled properly. After the data breach, First Citizen Mario Conio made a public announcement; among the comments in response is one that deserves due attention.
This user’s answer is objectively interesting and very correct: the municipality requires data and information from citizens for the provision of services, and this data cannot be handled loosely. This means that security measures must be commensurate with the level of information that the municipality needs to handle.