Cyber Incident Victim: National Authority of Transports
Date:
Mar 2023
Location:
Italy
Summary
The National Authority of Transports and Italy's Constitutional Court were targeted in distributed denial-of-service (DDoS) attacks by the pro-Russian hacktivist group NoName057(16), disrupting online services through slow HTTP techniques that temporarily overwhelmed their web infrastructure. The attacks, part of a broader campaign against Italian entities, rendered the transport regulator's portal inaccessible except from Italian IP addresses but did not compromise data confidentiality or integrity. NoName057(16), known for politically motivated disruptions against governments and critical infrastructure, publicly claimed responsibility via Telegram, continuing their pattern of targeting nations opposing Russian interests.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On March 25, 2023, the pro-Russian hacktivist group NoName057(16) executed distributed denial-of-service (DDoS) attacks against multiple Italian government digital infrastructures, including the National Authority of Transports (Autorità di Regolamentazione dei Trasporti, ART) and the Constitutional Court. The group publicly claimed responsibility through their Telegram channels, sharing Check-Host.net validation links demonstrating the disruption of ART's authorization portal and the Constitutional Court's website. These attacks formed part of a broader campaign against Italian targets, with the group stating their motivation was to ensure Italy received "due attention" alongside other nations opposing Russian interests. Historical context indicates NoName057(16) emerged in March 2022 as a pro-Russian entity, previously targeting Ukrainian, U.S., and European government agencies, private companies, and media outlets through DDoS operations and intimidation tactics against journalists.
The attackers employed slow HTTP attack techniques—a DDoS variant exploiting HTTP protocol vulnerabilities by deliberately sending incomplete or throttled requests to exhaust server resources—against ART's regulatory portal, rendering it accessible only from Italian IP addresses post-attack. This methodology aligned with the group's established preference for slow HTTP attacks over other DDoS vectors. While the article confirmed temporary service disruptions, it specified no data breaches or permanent system compromises occurred, consistent with DDoS attacks' characteristic impact on availability rather than data confidentiality or integrity. NoName057(16) referenced prior successful attacks against Italian infrastructure, including three separate incidents against the Carabinieri website, suggesting recurring vulnerabilities in affected systems. The article noted enterprise-level DDoS mitigation solutions like Cloudflare or Akamai could rapidly deploy protections but did not confirm whether targeted entities implemented such measures during or after the incident. Technical impact verification relied exclusively on the attackers' provided Check-Host.net reports, with no independent analysis or victim statements regarding operational recovery timelines or countermeasures detailed in the source material.