Transparency-based reconnaissance for APT attacks.

Transparency is a fundamental administrative principle for public institutions. One of its main implementations is the publication of goods and service acquisition tenders, as prescribed by EU and national legislation. This need of transparency can however undermine the security of public institutions, which are disseminating information that could be leveraged by advanced threat actors to bring disruptive attacks. In this paper, we analyse how threat actors can extract useful information from this publicly available information, taking advantage from transparency. We introduce a new technique named transparency-based reconnaissance, which implements a passive recognition process using transparency information published under law requirements. To better highlight the value of the gathered data, we experiment its effectiveness by simulating a transparency-based reconnaissance run against an Italian public institution, obtaining complete technological and supply chain inventories. The collected inventories enabled the creation of an unsophisticated malware bypassing the defences in place, along with a weaponization and delivery strategy. Finally, we propose a list of potential countermeasure areas, both technical and organizational, to protect information while still safeguarding transparency through a graduated approach.