Preliminary inquiry documents in the Leonardo hack suggest hackers were targeting nEUROn drone, C-27J and ATR-72 documents.
For almost two years, between May 2015 and January 2017, the IT infrastructure of Leonardo, the Italian multinational aerospace and defense company, and the 8th largest defence contractor in the world, was targeted by a persistent cyber attack (known as Advanced Persistent Threat or APT), carried out with installation in systems, networks and in the target machines, of a malicious code whose aim was the creation of active communication channels suitable to allow a slow and continuous leakage of technical and business data.
The perpetrators of the attacks were identified and arrested by Italian Police: the two individuals are a former employee and a manager of the company, who are accused of the crimes of unauthorized access to the computer system, unlawful interception of electronic communications and unlawful processing of personal data and misdirection.
According to the Italian Police, the first complaint, made in 2017, reported anomalous data traffic leaving the Pomigliano D’Arco plant, located near Naples. Pomigliano D’Arco is a Leonardo plant which hosts the B767 and ATR production lines.
Initially, the extent of the attack seemed limited to a small number of workstations with a data loss deemed to be “insignificant”.
However, the subsequent investigations brought a much broader scenario to light. The person responsible for this attack was an IT security manager of Leonardo who was arrested. The investigators found out that he injected malware into target workstations by means of USB sticks. The malware started automatically at each execution of the operating system; it intercepted what was typed on the keyboard [hence it acted as a “keylogger”] and could also capture the frames of what was displayed on the screens. According to the Police, the targeted PCs were those of employees, including managers, who were involved in strategic activities.
The malware exfiltrated over 100K files from the workstations along with personal data of employees and “the design of components of civil aircraft and military aircraft intended for the domestic and international market.”
The Police is still investigating in order to understand whether the hacker was acting independently or at the behest of others, or the goal of the alleged activity. There might be several reasons to perform such an act: industrial and military espionage, revenge, use the stolen data to extort money or to damage the company image.
On Dec. 23, 2020, Reuters published an article based on the 108-page arrest warrant. The report says that “the preliminary inquiry cites evidence that one of the computers which was hacked belonged to a Leonardo technician who worked on the electronic system of the nEUROn, an experimental unmanned military aircraft which was designed in 2012 under a European defence programme led by France. […] Other computers belonged to Leonardo workers involved in the production of C27J military transport aircraft and ATR commercial and military turbo-prop planes used by Italy’s taxpolice and coastguard, the November-dated document said.”
While both the C-27J and ATR-72 (operated by the Italian Custom Police and Coast Guard) are possible targets of interest because in various variants they fly with several operators and are also offered to potential customers around the world, it’s at least worth of note the fact that some of data stolen was about the nEUROn UCAV (Unmanned Combat Aerial Vehicle).
nEUROn is a project involving France, Italy, Sweden, Spain, Switzerland and Greece. The first example of this full-scale technology demonstrator rolled out on Jan. 20, 2012, after five years of design, development, and static testing. After its roll out at Istres airbase in France the stealth combat drone (with a loosely resemblance to the Northrop Grumman X-47B) embarked on a three-year test campaign aimed at exploring the whole flight envelope of the UCAV. According to Dassault, the prime contractor of the European project, the first phase of tests in France included the opening of the weapons bay and evaluation of the EO (Electro Optical) sensor and datalink.
The second phase of testing focused on the assessment of the IR (Infra Red) and EM (Electromagnetic) signature of the aircraft in full stealth configuration, and was successfully completed at Istres in February 2015. Subsequently, the UCAV technology demonstrator was disassembled and moved, as planned, to Decimomannu airbase, in Sardinia, Italy, where it underwent operational testing in the Perdasdefogu range, before moving to Visdel, Sweden, for weapons trials. In 2016, extensive stealth and detection tests were conducted with the nEUROn and the Charles de Gaulle carrier group. In 2018, Spanish Eurofighters deployed to Istres, to carry out a testing campaign with the nEUROn that saw the Typhoons use their radar, infrared search and track (IRST) system, electronic support measures suite, and the imaging infrared seeker in the IRIS-T short-range air-to-air missile to try to spot the stealthy drone.
The nEUROn is set to serve as the technology demonstrator for a future family of serial production UCAVs part of the FCAS (Future Air Combat Systems) program, that Airbus described as a network-enabled system of systems that integrates a new generation fighter aircraft, unmanned MALE drones (medium-altitude, long endurance), the current aircraft fleet, cruise missiles and drone swarms. The Next Generation Weapon System (NGWS) will be the core of FCAS, comprising the NGF, the remote carriers and the Air Combat Cloud.
That being said, it’s not even clear what kind of details about nEUROn (or any other weapon system) the targeted Leonardo workstations and employees could store or access. And, were those workstations hacked because they were assigned to specific professionals or because they were known to store classified data? Or maybe they were injected with malware just because the perpetrator had the opportunity to plug the USB stick in one of the ports hoping to discover interesting data he wasn’t even aware it was stored on that PC beforehand?
Leonardo said that “classified, strategic information was not held on the computers that were violated. Leonardo does not store top secret military data at the group’s plant in Pomigliano d’Arco, near Naples. As mentioned above, Pomigliano, is mainly focused on two production lines: ATR (fuselage and various other parts are built and assembled there) and B767. So, it seems more reasonable to believe that documents leaked from the plant might be mostly related to those types, rather than the European drone programme led by the French Dassault.
Anyway, we will follow this story and provide updates as new details about this hack emerge.