Full Report
The Uffizi Galleries in Florence have confirmed they were subject to a cyber-attack - but denied that the security systems protecting their famous works had been compromised. The Uffizi stressed that nothing had been either damaged or stolen, after hackers were reported to have infiltrated the museum's IT systems and accessed sensitive security data. Italian newspaper Corriere della Sera reported that hackers had infiltrated the museums' IT systems, allegedly extracting access codes, internal maps and the locations of CCTV cameras and alarms, before issuing a ransom demand. But the Uffizi contested this account, saying its security systems were inaccessible from the outside. The attackers appeared to have moved through interconnected systems, computers and phones, gradually piecing together a detailed picture of the museum's operations, Corriere reported.
Analysis Summary
# Incident Report: Uffizi Galleries IT System Intrusion
## Executive Summary
Between late January and early February 2024, the Uffizi Galleries in Florence experienced a cyber-attack involving lateral movement through interconnected IT systems. While external reports alleged the theft of security blueprints and access codes, the museum maintains that its core security infrastructure is air-gapped and remains uncompromised. The incident resulted in a ransom demand and the temporary restoration of photographic archives from backups.
## Incident Details
- **Discovery Date:** Approximately February 1, 2024
- **Incident Date:** Late January to early February 2024
- **Affected Organization:** Uffizi Galleries (including Palazzo Pitti and Boboli Gardens)
- **Sector:** Arts, Culture, and Tourism
- **Geography:** Florence, Italy
## Timeline of Events
### Initial Access
- **Date/Time:** Late January 2024
- **Vector:** Infiltration of interconnected IT systems (computers and phones).
- **Details:** Attackers gained entry to the museum's general-purpose IT network, moving across employee devices.
### Lateral Movement
- Attackers navigated through interconnected systems to map internal operations and access a digital photographic archive server.
### Data Exfiltration/Impact
- **Alleged:** Theft of security maps, CCTV locations, sensor data, and access codes (Contested by Uffizi).
- **Confirmed:** Impact on the digital photographic archive server, necessitating a shutdown and restoration from backup.
### Detection & Response
- **Detection:** Discovered via system anomalies and a ransom demand sent directly to Director Simone Verde's mobile device.
- **Response:** Segregation of the photographic server, restoration from backups, and physical security hardening at Palazzo Pitti.
## Attack Methodology
- **Initial Access:** Compromise of networked computers and mobile devices.
- **Persistence:** Not explicitly disclosed; likely maintained via compromised credentials.
- **Privilege Escalation:** Not disclosed.
- **Defense Evasion:** Use of interconnected lateral movement to avoid focal security monitoring.
- **Credential Access:** Potential extraction of administrative passwords for IT (non-security) systems.
- **Discovery:** Reconnaissance of organizational structure and IT assets.
- **Lateral Movement:** Pivot from general office IT to specialized servers (Photographic Archive).
- **Collection:** Gathering of digital photographic records and operational data.
- **Exfiltration:** Data allegedly staged for sale on the dark web.
- **Impact:** Ransomware-style extortion and temporary loss of server availability.
## Impact Assessment
- **Financial:** Possible costs related to forensic investigation and server restoration; €60m annual revenue remained largely protected as ticketing stayed online.
- **Data Breach:** Compromise of the digital photographic archive; dispute over the theft of sensitive security data.
- **Operational:** Temporary closure of sections of Palazzo Pitti; transfer of valuable items to the Bank of Italy.
- **Reputational:** High-profile media coverage (Corriere della Sera) suggesting vulnerability of international cultural treasures.
## Indicators of Compromise
- **Behavioral Indicators:** Lateral movement between office computers and photographic servers; direct extortion contact via personal mobile numbers.
- **Network Indicators:** [Redacted/Not provided in source].
## Response Actions
- **Containment:** Taking the photographic archive server offline to prevent further spread.
- **Eradication:** Wiping affected systems and implementing fire-safety/security hardening (bricking up redundant access points).
- **Recovery:** Full restoration of data from backups; transition of physical assets to high-security vaults (Bank of Italy).
## Lessons Learned
- **Network Segmentation:** The museum’s use of air-gapped/closed-circuit security systems prevented a total compromise of physical security.
- **Backup Integrity:** Validated backups allowed the museum to recover the photographic archive without paying a ransom.
- **VIP Security:** Attackers successfully targeted the personal device of a high-ranking official for extortion.
## Recommendations
- **Mobile Threat Defense:** Implement specialized security for executive mobile devices to prevent direct extortion.
- **Enhanced Segmentation:** Further isolate legacy IT systems from modern digital archives.
- **Public Relations Protocol:** Establish a unified communication strategy to address discrepancies between official statements and investigative journalism.
- **Continued Modernization:** Complete the transition from analogue to digital security systems as recommended by law enforcement.