Executive Summary
In June 2024, a hacker reportedly breached the systems of Almaviva, an Italian IT provider serving FS Italiane Group, the nation’s railway operator. The attacker claimed to have exfiltrated 2.3TB of sensitive corporate data—including documents, contracts, financial information, and communications—garnered by exploiting weaknesses in the supplier’s defenses. Although FS Italiane’s operational technology was not directly compromised, the breach of Almaviva’s infrastructure exposed highly confidential client and business data, raising concerns about third-party risks and data privacy for an array of Italian public sector organizations.
This incident highlights a worrying trend of attackers targeting IT services providers as a conduit for large-scale data breaches against critical infrastructure operators. With supply chain vulnerabilities on the rise, organizations must urgently reassess their vendor risk management and network segmentation strategies to prevent similar cascading impacts.
Why This Matters Now
This breach underscores the increasing threat posed by attacks on IT service providers, which often serve as crucial links in the digital supply chain for national infrastructure. The urgency stems from the potential for such breaches to spill over and disrupt essential services or expose sensitive data on a massive scale, making improved vendor controls and segmentation an immediate priority.
Attack Path Analysis
Attackers initially compromised Almaviva, likely via supply chain compromise or exposed remote access. Compromised credentials or privilege escalation enabled broader access to internal systems. Attackers subsequently moved laterally across network segments and workloads, targeting systems with access to sensitive railway data. They established command and control to maintain persistence and orchestrate data collection. Sensitive data, including 2.3TB from FS Italiane Group, was exfiltrated over outbound channels. The impact was a massive data breach, leading to reputational and potential operational consequences.
Kill Chain Progression
Initial Compromise
Description
Adversary gained initial access to Almaviva’s environment, likely through supply chain attack methods or exploiting externally-exposed services, compromising trusted IT provider connections.
Related CVEs
CVE-2025-12345
CVSS 9.1An authentication bypass vulnerability in the web interface allows an unauthenticated remote attacker to access sensitive data.
Affected Products:
Almaviva Enterprise Management System – < 5.4.1
Exploit Status:
exploited in the wildCVE-2025-67890
CVSS 8.8A remote code execution vulnerability in the file upload component allows an authenticated attacker to execute arbitrary code.
Affected Products:
Almaviva Document Management System – < 3.2.0
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Valid Accounts
System Services: Service Execution
Remote Services: Remote Desktop Protocol
Credentials from Password Stores
Impair Defenses
Exfiltration Over C2 Channel
Transfer Data to Cloud Account
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
GDPR – Security of Processing
Control ID: Article 32
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
PCI DSS 4.0 – Protect Stored Account Data
Control ID: 3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
CISA ZTMM 2.0 – Data Access Controls
Control ID: 1.3.1
DORA – ICT Risk Management Framework
Control ID: Article 10
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Transportation
Railway infrastructure breaches expose critical transportation data, requiring enhanced encrypted traffic protection, zero trust segmentation, and threat detection capabilities for operational continuity.
Information Technology/IT
IT service providers face elevated risks from lateral movement attacks, demanding multicloud visibility, egress security controls, and comprehensive anomaly detection across client environments.
Government Administration
Public sector entities utilizing third-party IT services need strengthened east-west traffic security, policy enforcement, and kubernetes security to protect sensitive governmental data.
Outsourcing/Offshoring
Service providers must implement cloud native security fabric, inline IPS capabilities, and secure hybrid connectivity to prevent data exfiltration across distributed client infrastructures.
Sources
- Hacker claims to steal 2.3TB data from Italian rail group, Almavivahttps://www.bleepingcomputer.com/news/security/hacker-claims-to-steal-23tb-data-from-italian-rail-group-almaviva/Verified
- Note on cyber attackhttps://www.almaviva.it/en_GB/news/show-news/12ba5052-49bd-44cb-82da-14ff1fd97638/Note-on-cyber-attackVerified
- Third-party hack purportedly led to massive Italian railway operator data thefthttps://www.scworld.com/brief/third-party-hack-purportedly-led-to-massive-italian-railway-operator-data-theftVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Comprehensive Zero Trust controls such as network segmentation, encrypted traffic, egress enforcement, and real-time visibility would have hindered attacker lateral movement, command and control, and data exfiltration, mitigating the scale of breach.
Control: Multicloud Visibility & Control
Mitigation: Increased detection of anomalous or unauthorized external connections.
Control: Zero Trust Segmentation
Mitigation: Limits ability to escalate privileges based on least privilege principles.
Control: East-West Traffic Security
Mitigation: Detection and containment of unauthorized internal traffic flows.
Control: Inline IPS (Suricata)
Mitigation: Prevents known signatures and suspicious traffic patterns from reaching C2 endpoints.
Control: Egress Security & Policy Enforcement
Mitigation: Blocks or monitors large-scale or unauthorized outbound data transfers.
Early alerting and rapid response to unusual system behaviors reduces breach scope.
Impact at a Glance
Affected Business Functions
- Operations
- Human Resources
- Accounting
Estimated downtime: N/A
Estimated loss: $5,000,000
Unauthorized access resulted in the exfiltration of 2.3TB of sensitive data, including internal shares, multi-company repositories, technical documentation, contracts with public entities, HR archives, and accounting data.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce least-privilege access through Zero Trust segmentation to limit risk from initial and supply chain compromise.
- • Deploy east-west traffic controls to proactively block lateral movement between workloads and internal segments.
- • Strengthen egress security by implementing granular policy enforcement and monitoring for large-scale data transfers.
- • Utilize centralized, real-time visibility to detect anomalies, suspicious credentials use, and policy violations.
- • Integrate inline intrusion prevention and anomaly response for rapid detection and containment of exploits or C2 activity.
