The “hack” the alleged ItalyGate whistleblower was arrested for lacked “sophistication” according to analysis conducted by two separate cybersecurity firms.
“ReaQta Threat Intelligence Team identified the malware used in an exfiltration operation against the defense contractor Leonardo S.p.A. The analysis of the malware, which we dubbed Fujinama, highlights its capabilities for data theft and exfiltration while maintaining a reasonably low-profile, despite a lack of sophistication, mostly due to the fact that the malicious vector was manually installed by an insider,” an analysis by Dutch cybersecurity firm ReaQta reads.
One of those alleged Fujinama hackers, Arturo D’Elia, has reportedly come forward, confessing to hacking the U.S. election on Nov. 3. He was arrested by Italian authorities for hacking the internal systems of Italian defense contractor Leonardo SpA, the firm with which he was working at the time.
The malware he allegedly used has been dubbed “Fujinama” by ReaQta, after part of a website URL information from Leonardo’s system was sent to after it was hacked.
D’Elia, after conducting the U.S. election hack, reportedly went home after the operation and told his wife what he was told to do by his employer. “I don’t understand why we are we interfering in America’s election,” he told her. D’Elia’s wife would in turn tell friends and family about the plot. The story ultimately garnered attention from Italian authorities and when D’Elia was questioned he reportedly blew the whistle.
Italian law enforcement authorities have been working with Maria Strollo-Zack, Chairwoman of Nations in Action™ a government accountability organization based here in the States, on bringing evidence of the election operation to light.
Separately, D’Elia was accused of infecting his company’s computer system with programs allowing confidential information to be exfiltrated, or exported, to outside computers. Ninety-four workstations were affected by the malware program, authorities allege. The hacking took place over the course of two years from 2015 to 2017 and authorities say 10 gigabytes worth of data – the equivalent of about 100,000 files – were illegally transferred.
He and another man were arrested on December 5, 2020 – three years after the alleged hacks ended but just four days after a story appeared in major Italian news publication La Verita that outlined allegations of interference in the Nov. 3 U.S. In the story, journalist Daniele Capezzone wrote the Trump campaign was at an “advanced stage” in investigating the allegations.
That D’Elia would be arrested three years after allegedly hacking the computer system of his employer but just four days after news reports of an election hack he was allegedly involved in broke is enough to draw scrutiny. But that the computer code allegedly used in the hack is so simplistic also raises questions.
According to his LinkedIn profile D’Elia has been an IT professional for 15 years, working for high-profile firms and entities such as the Italian Air Force, the Italian Public Prosecutor’s office, NATO, and Alcatel-Lucent.
He had been a security team lead at Leonardo since 2018.
“It appears that this serious cyber attack was carried out by an IT security manager of Leonardo SpA, Mr. Arturo D’Elia, against whom the GIP of the Court of Naples ordered the measure of pre-trial detention in prison,” read a statement released by the Commissariato di PS, an Italian law enforcement agency specializing in cyber crime.
According to analysis by cybersecurity firms however, the hack seems to have been not very serious at all – at least not in method.
“The ‘Fujinama’ samples show no trace of complex frameworks, all the code is straightforward…The structure itself is really basic: the malware application logic is coded and triggered within a hidden form and a few timers,” reads another analysis by cybersecurity firm Yoroi.
“As reported in other technical reports, the malware code is quite particular and does not have any type of code-protection systems. Also the network traffic to the C2 has no sophisticated encryption or random looking encoding,” it adds.
There have been no public statements by D’Elia or his attorneys for weeks. Strollo-Zack says intelligence NIA has received says D’Elia may have been transported to the United States.
In February we reported on two Italian military planes that flew in tandem to the U.S., partially confirming intelligence Strollo-Zack and her team had received. A spokesperson from Joint Base Andrews, where the planes landed, told ITN at the time that “a range of missions and aircraft fly aircraft, including the aircraft of partnered and allied nations, onto the world’s highest visibility flight line” and referred us to the Italian Embassy in Washington, D.C. for any additional questions. The Italian Embassy did not respond to requests for comment.
ITN has also reached out repeatedly to the Commissariato di PS to ask for simple confirmation that D’Elia is still in Italian custody. As of the time of this writing we have received no response.
Photo by PicsShadow8672