Attack on the Revenue Agency: the point of the situation

A few days ago, news broke out that the Revenue Agency would be hit by a malware attack. The (presumably Russian) hacker group working with the LockBit ransomware would have managed, according to the group itself, to hit the Agency's website during the day of 25 July 2022 . The news was published by LockBit itself publishing the announcement of the hacker attack on the dark web . But it's true? Has there been or hasn't there been data theft against the Revenue Agency?

Data theft from the Revenue Agency

LockBit said it got hold of 100GB of data . The group, however, in its being criminal, has always shown itself to be serious in its statements . But it is also true that he should be if he wants to keep his reputation high. On the other hand, we have Sogei, Società Generale d'Informatica SpA, the IT and technological branch of the Ministry of Economy and Finance which manages all the most sensitive servers in our country.

On the same day, Sogei denied everything with the following statement:

“With regard to the alleged cyber attack on the tax information system, Sogei spa informs that from the first analyzes carried out, no cyber attacks have occurred or data have been stolen from the technological platforms and infrastructures of the Financial Administration. From the technical investigations carried out, Sogei therefore excludes that a computer attack on the site of the Revenue Agency may have occurred. In any case, collaboration with the National Cybersecurity Agency and the Postal Police remains active in order to give maximum support to the investigations in progress. "

Following this press release, several hypotheses have sprung up around the web. The most accredited saw a possible data breach of a structure connected to the Revenue Agency but outside the control perimeter of Sogei . In fact, it seems the right way, and looking at some of the screenshots published on the dark web by LockBit, as proof of the stolen data, it is possible to see some documents related to GESIS or GESISD. It would be a reference to an accountancy firm, and therefore has nothing to do with Sogei or the Revenue Agency .

revenue agency

Another press release from Sogei explains better what happened:

Regarding the articles published this week in some media in relation to an alleged hacker blackmail attempt at the Revenue Agency, at the moment we can only observe the following. The data published in these articles, as far as we know, do not come from servers of the Revenue Agency but from one of our servers that was the subject of a recent hacker intrusion attempt aimed at encrypting our files and data exfiltration, with relative ransom note.

This attempt was unsuccessful as our backup and anti-intrusion systems have avoided any data loss and limited the exfiltration of data to a minimum part, under investigation, of those present in our servers. In particular, about 7% of the data would have been exfiltrated.

Of this part, about 90% would concern databases of old versions of management programs and therefore unusable. Therefore, there were no significant consequences on our and our customers' businesses. The parties directly concerned, including the competent authorities, were informed.

We cannot currently release any further information so as not to hamper the ongoing investigation.

You can then (almost) breathe a sigh of relief. From what can be seen, Sogei seems certain that there has been no data leak relating to the Revenue Agency website and the stolen data could be related to some affiliate , external to the Agency itself and not under the control of Sogei.

The article Attack on the Revenue Agency: the point of the situation was written on: Tech CuE | Close-up Engineering .