Hive attacks Trenitalia and Ferrovie dello Stato

The Hive ransomware gang has attacked Trenitalia and Ferrovie dello Stato. Sales systems of Trenitalia and Ferrovie dello Stato, including self-service machines and ticket offices at stations, experienced a disruption on the morning of March 23, rendering them non-functional. The reason behind this disruption was the deliberate shutdown of a portion of the ticketing network by the company. This action was taken to address a targeted ransomware attack aimed at the Italian railway network infrastructure managed by Rfi, a subsidiary of the company. What we know so far is that Ferrovie fell victim to a type of malicious software called cryptolocker, which encrypts data and demands a ransom in exchange for a decryption key. Initially, there were speculations that Russian actors were responsible for the attack, according to a source close to security authorities. However, at present, there is insufficient evidence to determine attribution, as stated by Ivano Gabrielli, the director of the Postal Police's National Cybercrime Center for the Protection of Critical Infrastructures (Cnaipic). Cnaipic is collaborating with the recently established National Cybersecurity Agency (Acn) to address the breach and conduct a thorough analysis. Gabrielli emphasizes that, at this stage, they are treating the incident as a case of computer crime. Roberto Baldoni, the director of Acn, also affirms the criminal nature of the attack in an interview with Corriere della Sera. The primary theory under investigation suggests that the Hive ransomware group is responsible for the breach, based on trading chats published on the Italian website Redhotcyber, which have been subsequently corroborated by sources involved in the investigation. As a precautionary measure, certain unrelated areas have been isolated. Ferrovie has announced that other online systems are functioning normally and they are working to restore sales operations at the stations as soon as possible.