LockBit claims ransomware attack on Italian tax agency

Agenzia delle entrate

Italian authorities are investigating claims made by the LockBit ransomware gang that they breached the network of the Italian Internal Revenue Service (L’Agenzia delle Entrate).

LockBit claims they stole 100 GB of data (including company documents, scans, financial reports, and contracts) that will be leaked online if the Italian tax agency doesn’t pay a ransom demand until August 1st.

The Italian revenue agency shared an official statement on its website regarding “the alleged theft of data from the tax information system,” saying that it requested more info from Sogei (Società Generale d’Informatica) SpA, a Ministry of Economy and Finance public company that manages the financial administration’s technological infrastructure.

“From the technical investigations carried out, Sogei excludes that a cyber attack on the Agency’s website may have occurred,” the agency said.

Sogei SpA also manages IT infrastructure used by other Italian agencies, including the Ministries of Justice, Interior, and Education, the State Attorney General, and the Department of the Treasury.

A Sogei spokesperson told BleepingComputer that “there are no cyber attacks on the financial administration’s technological platforms and infrastructures,” adding that “it is not possible to provide further details as investigations are ongoing.”


LockBit Italian tax agencyImage: BleepingComputer

The company also shared an official statement on its website saying it found no evidence of a cyberattack impacting the Italian revenue agency.

“With regard to the alleged cyber attack on the tax information system, Sogei spa informs that from the first analyzes carried out, no cyber attacks have occurred nor have data been stolen from platforms and technological infrastructures of the Financial Administration,” the public company said Monday [PDF].

“From the technical investigations carried out, Sogei, therefore, excludes that a cyber attack on the site of the Revenue Agency.”

Sogei SpA added that it’s currently collaborating and supporting an ongoing joint investigation coordinated by the Italian National Cybersecurity Agency and the Postal Police.

The LockBit ransomware gang first surfaced in September 2019 as a ransomware-as-a-service (RaaS) and relaunched as the LockBit 2.0 RaaS in June 2021 after ransomware groups were banned from posting on cybercrime forums [1, 2].

In February, the FBI released a flash alert with indicators of compromise associated with LockBit ransomware attacks (accounting for 40% of all known ransomware attacks in May 2022), asking organizations targeted by this RaaS’ affiliates to report any incidents urgently.

Last month, LockBit released ‘LockBit 3.0,’ introducing the first ransomware bug bounty program, new extortion tactics, and Zcash cryptocurrency payment options.

Update July 26, 11:33 EDT: Added a Sogei SpA statement to BleepingComputer.


Related posts

T-Mobile discloses second data breach since the start of 2023

Sarah Henriquez

Cisco fixes bug that lets attackers execute commands as root

Sarah Henriquez

Critical Microsoft Outlook bug PoC shows how easy it is to exploit

Sarah Henriquez

Leave a Comment