Cyber Incident Victim: Azienda Trasporti Milanese

On the morning of May 22, 2023, around 10:30 AM, the pro-Russian hacktivist group known as NoName057(16) initiated a cyberattack against the Milan Metro (Metropolitana di Milano). The attack resulted in a service disruption that lasted for approximately two hours, impacting the public transportation system's operations. Following this initial attack on the Milan Metro, the group shifted its focus to another Italian transportation entity, the Transport Regulation Authority (Autorità di Regolazione dei Trasporti or ART). The attackers specifically targeted the authority's SPID (Sistema Pubblico di Identità Digitale) authentication form, which is a critical digital public identity system used for accessing government services in Italy.

The attack methodology employed by NoName057(16) was identified as a Slow HTTP attack, also referred to as an HTTP Slowloris attack. This technique exploits a vulnerability in how web servers manage HTTP connections. The attackers sent a series of partial HTTP requests to the targeted web servers but never completed them. This caused the servers to keep the connections open while waiting for the requests to be finalized, a process that consumes server resources. By opening and maintaining a large number of these incomplete connections simultaneously, the attackers were able to saturate the servers' capacity, preventing them from processing legitimate traffic and effectively causing a denial-of-service condition. This type of attack is particularly effective because it can be executed with a relatively low volume of traffic, making it difficult to distinguish from legitimate, albeit slow, connections without specific mitigation tools.

As part of their attack strategy, the group implemented geolocking. This is a temporary mitigation technique often used by attackers to restrict the traffic participating in the attack to originate from specific geographic regions, potentially to avoid detection or to focus the impact on a particular user base. Analysis of the incident indicated that the downtime experienced by the targeted Italian transportation organizations, while significant, was slightly reduced compared to the duration of outages caused by similar attacks conducted by the same group against Italian targets in late 2022. This observation suggested that the victim organizations had begun to implement improved defensive measures, albeit at a pace described as extremely slow relative to the ongoing threat.

The incident on May 22 was not an isolated event targeting Italy alone. On the same day, NoName057(16) launched attacks against multiple companies involved in the transportation sector across several other countries, indicating a coordinated international campaign. The group has a history of conducting distributed denial-of-service (DDoS) attacks against Italian targets, with this incident being part of a broader series of offensive actions. The primary impact of the attack was service unavailability. For the Milan Metro, this translated directly into a two-hour operational disruption affecting commuters and the public transportation network. For the Transport Regulation Authority, the attack on its SPID authentication form would have prevented legitimate users from accessing online services, potentially disrupting administrative and regulatory functions.

The article provides a technical overview of potential mitigation strategies for Slow HTTP attacks, which can be inferred as the general category of response actions relevant to such incidents. These include reducing the connection timeout on web servers to force the closure of inactive connections more quickly, thereby freeing up resources. Another common response is to limit the number of concurrent connections permitted from a single IP address, which helps prevent a single source from consuming all available server connections. Implementing a reverse proxy was noted as a method to process incoming requests more efficiently and to apply connection limits before traffic reaches the primary application server. The deployment of a web application firewall (WAF) was highlighted as a key defensive measure, as it can be configured to filter traffic based on its behavior and content, specifically to detect and block the patterns indicative of a Slow HTTP attack. For large-scale DDoS attacks, which may incorporate Slow HTTP techniques, employing specialized DDoS mitigation services was noted as a necessary response. These services operate by filtering malicious traffic before it can reach the target's infrastructure. The article concludes that while geolocking can serve as a temporary defensive measure, a more definitive solution involves the activation of application firewalls like WAFs or relying on content delivery networks (CDN) such as Akamai or Cloudflare, which offer built-in DDoS protection capabilities. The observed reduction in downtime during this attack, compared to previous incidents, suggests that some of these mitigation techniques were likely being adopted by the targeted organizations, leading to a gradual improvement in their defensive posture and resilience against such attacks.