Cyber Incident Victim: Ministry of Defense (Iran)

On or around April 19, 2023, the website of the Italian Supreme Council of the Judiciary (Consiglio Superiore della Magistratura) was subjected to a cyber attack. The pro-Russian hacker group known as NoName057(16) claimed responsibility for this incident. The group publicly declared its support for the Russian Federation in March 2022, following the start of the war between Ukraine and Russia, and has a history of claiming responsibility for cyber attacks against countries including Ukraine, the United States, and various European nations. The group operates a Telegram channel with over 30,000 followers, which it uses to publicize its activities and new victims. It was through this channel that the group announced the Italian target, stating, "Il sito web del Supremo Consiglio Superiore della Magistratura italiano non è sopravvissuto al nostro attacco," which translates to "The website of the Italian Supreme Council of the Judiciary did not survive our attack."

The attack employed was a Distributed Denial of Service (DDoS) attack. A DDoS attack is a type of cyber attack in which a large number of compromised computers, known as a botnet, simultaneously send a massive volume of traffic to a target server. The objective is to saturate the server's bandwidth or processing capacity, rendering it unable to respond to legitimate user requests and causing an interruption of service. This prevents users from accessing websites, applications, or other online services. Such attacks are often used for hacktivism, extortion, damaging an organization's reputation, or for political and ideological purposes, which aligns with the stated motives of the NoName057(16) group.

Analysis of the attack indicated it specifically utilized a Slow HTTP attack technique, also referred to as an HTTP Slowloris attack. This method exploits a vulnerability in how servers manage HTTP connections. Instead of flooding the target with high-volume traffic, the attacker sends a large number of partial HTTP requests to the server. The attacker never completes these requests, causing the server to keep the connections open while it waits for the requests to be finalized. This consumes the server's available connection resources, preventing it from processing new, legitimate connections from actual users. This type of attack can be particularly effective against web servers with limited bandwidth or processing capacity and requires minimal resources from the attacker to execute.

In response to the attack, the administrators of the Supreme Council of the Judiciary's website implemented a mitigation measure known as geolocking, also called geoblocking. This technique restricts access to online content based on the geographical location of the user. By enabling geolocking, access to the website was blocked for all traffic originating from outside of Italy. This action was confirmed through an analysis using the check-host service at 22:07 on April 19, 2023, which showed the web server was unreachable from abroad but remained accessible from within Italy, albeit inconsistently. The primary purpose of implementing this measure was to reduce the effectiveness of the DDoS attack by cutting off a significant portion of the malicious botnet traffic, which was likely distributed across numerous countries outside of Italy.

The implementation of geolocking was characterized as a temporary mitigation solution rather than a definitive fix. While it effectively reduced the immediate power of the attack by blocking foreign-based malicious bots, it also had the consequence of preventing legitimate users and clients located outside of Italy from accessing the website's services. A more permanent solution would involve the deployment of specialized security appliances or services, such as a Web Application Firewall (WAF), which can be configured to filter incoming traffic, detect malicious request patterns like those used in Slow HTTP attacks, and block them before they reach the target server. Other definitive solutions include utilizing Content Delivery Network (CDN) services from providers like Akamai or Cloudflare, which offer built-in DDoS mitigation capabilities by absorbing and scrubbing malicious traffic across their distributed global networks.

Additional technical mitigation strategies for defending against Slow HTTP attacks include reducing the connection timeout on the web server. By shortening the time a server waits for a request to be completed, it can free up resources more quickly by closing inactive connections. Another method is to limit the number of concurrent connections permitted from a single IP address, which helps prevent a single source from consuming all available connections. Deploying a reverse proxy can also aid in mitigating these attacks by processing requests more efficiently and applying connection limits before traffic reaches the primary web server. For large-scale DDoS campaigns that incorporate multiple attack vectors, employing a dedicated DDoS mitigation service may be necessary to filter incoming traffic and block malicious requests.

The incident against the Italian judiciary body is part of a broader campaign of attacks conducted by NoName057(16) against Italy. The group has previously carried out multiple DDoS campaigns targeting both public objectives, such as government and institutional websites, and private entities within the country. The impact of this specific attack was the temporary disruption of the Supreme Council of the Judiciary's online presence, limiting access for users both malicious and legitimate based on their geographic location. The response action taken was reactive, focusing on immediate containment through access restriction, with an implied need for more robust, proactive security measures to prevent similar disruptions in the future.