Cybercrime Leonardo S.p.A. Data Breach Analysis


Staff member
Malware Hunter
Jul 27, 2015
Quote : " Leonardo S.p.A. (formerly Finmeccanica) is the 8th largest defence contractor. Partially owned by the Italian government, the company is widely known, among other things, for their AgustaWestland Helicopters, major contributions to the Eurofighter project, development of naval artillery, armoured vehicles, underwater systems, implementation of space systems, electronic defence and more.

On the 5th of December 2020 the CNAIPIC (National Computer Crime Center for Critical Infrastructure Protection), a unit specialized in computer crime, part of the Polizia di Stato (the Italian Police), reported the arrest of 2 individuals in relation to a data theft operation, identified for the first time in January 2017, against Leonardo SpA’s infrastructure. The anomalous activity was identified by the company’s security unit and quickly reported to the authorities that started an extensive investigation. Though the company’s initial report identified the leak to be negligible in volume, the CNAIPIC’s investigation found the amount to actually be significant, with 100.000 files exfiltrated for a total of 10Gb of data from 33 devices in a single location and tracking the final infection to a total of 94 different devices. The attack was considered an APT by the Italian Police, carried out by a single person whom manually installed a custom malware on each targeted machine.

Physical attacks are hard to detect, as any local access to the device can help to mitigate on-device detections, this is especially true when the attacker is, like in Leonardo’s case, part of the company’s security unit. A physical attack carried out by a person with high-level access is a worst-case scenario for any company or agency but, as we will see later, things might have taken a different turn if the malware involved was actually sophisticated. "

Fujinama First Detection

In January 2017, Leonardo’s Cyber Security Unit reported anomalous traffic from a number of endpoints operating in the Pomigliano D’Arco (Naples) office, the offending application name cftmon.exe was a twist of a well-known Windows component ctfmon.exe. The application was not recognized as malicious by the security solutions in use, but the network traffic was indeed highly anomalous. As we will see in the analysis, while the attacker was certainly persistent, the sophistication was also lacking, in fact the type of traffic generated led eventually to the identification of the threat. Unfortunately the CNAIPIC didn’t release any information on the threat, except for its filename and the C2 address used: www[.]fujinama[.] ( shut down by the Italian police ) though this was enough to threat hunt in our dataset looking for traces of this malware.

Hunting Down Fujinama

The hunt for Fujinama started shortly after CNAIPIC’s bulletin was published. Our Threat Intelligence team managed to find samples that reached our sensors network from 2018. From that point, we managed to pivot on a third sample that appears to be related to a different operation. Two of the three samples share the same keylogging capabilities but they point at two different C2. A third sample, pointing to the Fujinama C2, is in all likelihood an evolution of the previous version that includes screenshots capabilities, exfiltration and remote execution. This specific sample, labeled Sample 2 in the article, will be the focus of our behavioural analysis.

Fujinama was written in Visual Basic 6 and it tries to mimic an internal Windows tool: cftmon.exe (as mentioned above, a twist on the legitimate ctfmon.exe).

Main Flow

The sample adopts a very simple sandbox evasion technique, sleeping for 60 seconds before activating the malicious flow that consists of:
  • Every 60 seconds: capturing a screenshot of the Desktop and uploading it to the C2
  • Installing a keylogger on the victim machine that sends all keystroke to the C2
  • Every 5 minutes: checking on the C2 for the presence of a command used either to execute an application or to exfiltrate a specific file

The Screenshot routine simulates a keypress on the PrtScn button to capture the image of the desktop. The screen content is then saved from the clipboard to a jpg file in a temporary folder. Finally Fujinama uploads the newly created image to its C2, using a http POST request with content-type multi-part before deleting the file from the victim’s device.


The keylogging routine simply waits for the user input, once a keystroke has been typed it is immediately uploaded to the C2. Surprisingly the keystroke is transferred using a simple GET request, this approach – although ignored by the local antivirus – is both visible and noisy, most likely this is what gave up the presence of the malware on its first detection. "

Full source :