Cyber Incident Victim: Intesa Sanpaolo
Date:
Feb 2025
Location:
Italy
Summary
Alleged pro-Russian hacker group Noname057(16) targeted approximately 20 Italian websites, including those of Intesa Sanpaolo, other major banks, and Milan's airports, in a cyberattack motivated by political tensions between Italy and Russia. The group cited recent critical remarks by Italy's president about Russia's actions in Ukraine as justification for the attack, mirroring its previous targeting of Italian institutional websites months earlier. While the incident caused no major operational disruptions, affected organizations confirmed minor or no service interruptions, with some declining to comment on the impact. Italy's cybersecurity agency attributed the attack to the ongoing geopolitical friction following the diplomatic exchange.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On February 17, 2025, Italy’s cybersecurity agency reported approximately 20 Italian websites were targeted in coordinated cyberattacks attributed to the pro-Russian hacker group Noname057(16). The attacks impacted financial institutions including Intesa Sanpaolo, Banca Monte dei Paschi, and Iccrea Banca, as well as Milan’s Linate and Malpensa airports managed by SEA. The agency linked the incident to escalating diplomatic tensions following Italian President Sergio Mattarella’s February 2025 comparison of Russia’s war in Ukraine to Nazi Germany’s pre-World War II expansionism, which had drawn condemnation from Moscow. Noname057(16) explicitly cited Mattarella’s remarks as motivation for the attacks, mirroring their December 2024 campaign against roughly 10 Italian institutional websites. Initial assessments indicated the attacks did not cause major operational disruptions, though targeted organizations adopted varying response postures. Intesa Sanpaolo and SEA declined public commentary on the incident, while Iccrea Banca confirmed no service interruptions occurred. Banca Monte dei Paschi did not respond to Reuters’ requests for comment at the time of reporting.
The cybersecurity agency characterized the attacks as part of a recurring pattern of hacktivist activity aligned with Russian geopolitical interests, though no data breaches or persistent network compromises were disclosed. Technical specifics regarding attack vectors, duration, or mitigation measures were not detailed in public statements. The incident highlighted sustained targeting of Italian critical infrastructure sectors following political controversies involving Russia, with financial services and transportation nodes representing consistent objectives for Noname057(16). No collateral impacts on customers or travelers were reported by affected entities. Historical context indicated the group’s operational focus on temporary service disruptions through website defacements or denial-of-service techniques rather than data exfiltration campaigns. Institutional responses remained confined to incident verification and containment, with no disclosed coordination on enhanced defensive measures beyond routine cybersecurity protocols.