Italy warns of cyberattacks on energy industry after Eni, GSE incidents

Italy’s National Cyber Security Agency warned on Friday that attacks on Italian energy operators and infrastructure are increasing following two headline-grabbing breaches of major companies over the last week. 

The agency recommended that organizations “raise the levels of protection of digital infrastructure of energy operators,” and note that they are “constantly updating them in line with the most recent threat information.”

The notice specifically cited the cyberattack on the oil and gas supermajor Eni, which confirmed to The Record it had been attacked this week.

“As part of the monitoring activities of Eni's IT infrastructures, strengthened following the start of the conflict in Ukraine, the Company confirms that the internal protection systems have detected unauthorized access to the corporate network in recent days,” a company spokesperson said. 

“Eni, in collaboration with the competent Authority, is working to assess the consequences of the attack attempt, which are currently minor.”

The attack on Eni was first reported by Bloomberg on Wednesday. The outlet said those familiar with the incident described it as a ransomware attack. 

The Eni hack followed another cyberattack on Sunday night affecting Gestore dei Servizi Energetici (GSE), the Italian energy agency that runs the country’s electricity market. The organization said in a statement that its servers were compromised, and employees are still unable to access internal data or their email accounts.

According to Bloomberg, some market functions typically managed by GSE were suspended this week. The situation was so serious that Prime Minister Mario Draghi held a meeting on Thursday with the Interministerial Committee for Cybersecurity and other top government officials about both attacks.

The BlackCat ransomware group took credit for the attack on GSE, claiming to have stolen more than 700 GB of data from the agency. 

Italian oil giant Eni SpA was hit with a ransomware attack yesterday and ALPHV Black Cat posts the Italian Energy Agency today. @campuscodi @GossiTheDog @BleepinComputer @TheRegister pic.twitter.com/hE11X15BW7

— Dominic Alvieri (@AlvieriD) September 1, 2022

The group – also known as AlphV – continues to be one of the most prolific ransomware groups targeting energy companies. Attacks on two Luxembourg energy companies were attributed to the group as well as other incidents targeting some of the largest ports across Belgium, the Netherlands, and Germany. 

According to several experts, AlphV/Black Cat is a rebrand of the prolific BlackMatter ransomware group, which itself was allegedly a rebrand of the DarkSide ransomware – a gang accused of launching the attack on Colonial Pipeline.