Italian police arrested two people that have stolen 10 GB of confidental and alleged secret data from the defense company Leonardo S.p.A.

Italian police have arrested two people that have been accused of stealing 10 GB of confidental data and military secrets from defense company Leonardo S.p.A.

Leonardo is a state-owned multinational company and one of the world’s largest defense contractors. 

The press release published by the Italian police states that the duo carried out a serious attack on the IT structures of the Aerostructures Division and the Aircraft Division of Leonardo SpA.

The two people are the former employee of the IT security management of Leonardo SpA, Arturo D’Elia, who is currently in jail, and Antonio Rossi, head of the CERT (Cyber ​​Emergency Readiness Team) of Leonardo, which is subject to a precautionary measure of home custody.

The head of Leonardo’s cyber-emergency team was placed under house arrest for allegedly misrepresenting the scope of the attack and hindering the investigation.

The prosecutors state that Leonardo’s security systems did not detect the malware that was allegedly used by the unfaithful employee.

The CNAIPIC of the Central Service of the Postal and Communications Police and the local police have arrested a former employee and a manager of the aforementioned company. The former is suspected of unauthorized access to the computer systems, unlawful interception of electronic communications, and unlawful processing of personal data, the latter for have attempted to hijack the investigation and cover the crime.

In January 2017, the internal cybersecurity structure of Leonardo SpA reported anomalous network traffic, outgoing from some workstations of the Pomigliano D’Arco plant. According to the experts, the traffic was generated by an alleged implant used to exfiltrate the data.

The anomalous traffic was directed towards a web page called “”, which was already seized by the police.


One of the two suspects allegedly used USB keys to infect 94 workstations with a Trojan. The press release published by the police doesn’t include technical details about the malware used to exfiltrate the info, it only reported that the malware poses as the legitimate Windows file “C:\Windows\system32\cftmon.exe” to evade detection.

The duo has used the malware to steal the data between 2015 and 2017 and it back to a command and control server (‘’).

Local media reported that forensic copies of the first machine infected with the malware have been disappeared. The copies of the “patient zero” system handed over to the police were illegible.

Media reported that the exfiltrated data included confidential accounting information and military designs.

“Overall, data for 10 gigabytes, that is about 100,000 files , concerning administrative-accounting management, the use of human resources, the procurement and distribution of capital goods, as well as the design of civil aircraft components and military aircraft for the Italian and international market were exfiltrated.” reads the press agency AGI reports. “Also capture credentials for accessing personal information of Leonardo spa employees,”

Leonardo issued the following statement.

“With regards to the current measures adopted by the Naples judiciary, Leonardo announces that the investigation comes from a complaint by the Company’s security that has been followed by others. The measures concern a former collaborator who is not an employee of Leonardo, and a non-executive employee of the Company.” reads the statement.

“The Company, which is obviously the injured party in this affair, has provided maximum cooperation since the beginning and will continue to do so to enable the investigators to clarify the incident, and for its own protection. Finally, it should be noted that classified or strategic data is processed in segregated areas, without connectivity, and not within the Pomigliano plant,”

[출처 : SecurityAffairs / 12.6.]