In the last few hours, Postel SpA (Postel) has sent its employees a press release which, in our opinion, summarily and with some inconsistencies, describes the events that occurred after the IT attack carried out by the Medusa ransomware group, with the consequent loss of data, many of which are sensitive.
But let’s go in order and retrace what we wrote in a previous article when, exclusively, we reported the attack on the IT infrastructure of the subsidiary (100%) of the Poste Italiane SpA Group.
On the morning of August 15, before the publication of our article and before Medusa published the news on its blog, the ransomware group let us know that it had hit Postel
We hacked Italy firm: postel.it
After a few minutes we tried to connect to postel.it, but the website was unreachable “This Site Can’t Be Reached”
An error caused, in most cases, by a server-side failure to respond, certainly not due to a Distributed Denial of Service (DDoS), in which case we would have gotten another type of error
This is why we are convinced that on August 15th the postel.it site was not suffering DDoS attacks, but had been deliberately taken offline in order to be restored with backup copies. The confirmation would also come from a statement that Medusa has released where it claims that it is true that postel.it was under DDoS, but only from 10 to 12 August.
We stopped D-dos
We ask ourselves two questions
- why in the press release sent to employees, Postel suggests that the data exfiltration took place on August 15th?
A similar statement had arrived days earlier, on August 16, from the Agency for Digital Italy (AgID) through a tweet in response to a user of X (Twitter)
From what we have been told, on Thursday 10 August Medusa was still inside Postel’s computer network, only to leave it the same day. As we have previously reported, the ransomware group would then take action to target servers through DDoS attacks. The attacks would have started on the same day and then stopped on Saturday 12 August.
Finished inside the network 10
We stopped D-dos
At the moment we do not have objective evidence on what the ransomware group said, indeed we have one but we will illustrate it later, just as we do not have any regarding the statements released first by AgID and then by Postel. But thanks to the statements of the latter we can say that the discovery of the theft of data took place only on August 15th.
The objective confirmation is the modified date of the subfolders which all show the date of August 7th, the cause can be attributed to a reason: August 7th is when Medusa exfiltrated the data from the Postel servers. Below are two examples
It would seem that what Medusa asserted is true. The ransomware group may have remained within the Italian company’s IT infrastructure for at least 4 days, from August 7 to 10, when, according to its statement, it exited the systems and started with DDoS attacks.
A peculiarity of Medusa not common in other ransomware groups, we have been able to verify it in the recent past also against the American Borets (Levare International), is that of trying to put further pressure on its victims with DDoS attacks on IT infrastructures, this occurs when negotiations have taken place but have not been successful, or when the victim refuses to negotiate altogether.
We then asked Medusa if there had been any negotiations with Postel, here’s what they answered
they visited chat only, didn’t write a word.
- why is the loss of personal data of employees and collaborators of Postel not taken for granted in the press release given that among some of the data published for days now on the blog of the ransomware group there are screenshots of passports and identity cards of employees?
In cases similar to these, prudence in issuing statements is justifiable, but often there is a tendency to minimize or even deny the evidence. Instead, we can say with certainty that the sensitive data uploaded by cybercriminals on their blog are not the only ones to have been exfiltrated, Medusa has thousands of other sensitive and confidential documents in its hands. Such as names and surnames, dates of birth, tax codes, complete residential addresses, telephone numbers, company and private e-mail addresses, Public Digital Identity System (SPID), unencrypted access passwords for servers and domains, pay slips, Unique Certifications, 730 models , 740 models, sensitive documents issued by INPS, results of company medical examinations (health surveillance), reports and communications to INAIL for accidents at work, administrative documents…
But Medusa also has files that shouldn’t have resided on company servers as they are personal documents and cannot be traced back to the activity carried out for Postel. As we have said, private documents of some employees such as lease contracts, tax codes, bank current account statements, reports made by INPS medical commissions, life insurance policies, clinical test results, identity card and tax code of a minor, medical report of a minor. But also documents that Postel employees or collaborators would not be possessed of, such as identity cards, tax codes.
It is a wrong habit to use company devices for private purposes, but we know it is a practice that unfortunately ranges from public to private. Imagine the use that could be made by this or another group of cybercriminals. The huge amount of sensitive data, in this case not properly protected, could give rise to identity theft or phishing campaigns, be sold on the dark web. But, evidently, the risk of such incorrect practices is only realized later, when the data has already been stolen.
All data that will emerge, if it hasn’t already emerged, during the checks that specialized technicians and forensic experts, appointed by Postel, will carry out to establish exactly what was actually taken from Medusa during the cyber attack.
As mentioned above, there are also administrative documents among the data exfiltrated by cybercriminals, such as contracts with public and private companies for the supply, for example, of “Direct Marketing Services”, “Printing Services”, “Printing Services for PagoPA collection ” or that of “Posta Massiva”. The latter are attributable to old contracts stipulated by Nexive Group srl (formerly TNT Post Italia) now managed by Postel, we remind you that Nexive Group srl is 100% controlled by the Poste Italiane Group.
Given that the data belongs to multiple Postel offices, how much data has actually been stolen from Postel’s servers and what types of documents?
In a previous article we talked about 100GB of stolen documents, Medusa specifies that the total exfiltrated data is almost 84GB with 40,310 folders and 157,189 files
Below we show the number of files by type
We remind you that the processing of personal data is regulated by European laws described in the GDPR, in cases like this we also refer, but not only, to various articles and considerations that we list
SuspectFile will update the news in case of new items