Cyber Incident Victim: Corte Costituzionale

On or around April 19, 2023, the Italian Supreme Council of the Judiciary, known as the Consiglio Superiore della Magistratura (CSM), was subjected to a cyber attack. The pro-Russian hacker group NoName057(16) claimed responsibility for this incident. This group had publicly declared its support for the Russian Federation in March 2022, following the start of the war between Ukraine and Russia. They are known for publicizing their activities through a Telegram channel that, at the time of the incident, had over 30,000 followers. The group's modus operandi involved launching Distributed Denial of Service (DDoS) attacks against public and private targets in various countries, including Ukraine, the United States, and several European nations. Italy had been a previous target of their campaigns.

The attack against the CSM was a DDoS attack, specifically identified as a Slow HTTP attack variant. This type of attack exploits a vulnerability in how servers manage HTTP connections. The attacker sends a series of partial HTTP requests to the target server but never completes them. This causes the server to keep the connections open while waiting for the requests to be finalized, thereby consuming its available resources and preventing it from processing legitimate traffic. This technique is particularly effective against servers with limited bandwidth or processing capacity, as it can saturate their capabilities with minimal bandwidth usage from the attacker's side.

The primary impact of the attack was the disruption of the CSM's official website, rendering it inaccessible. The group announced their success via their Telegram channel, stating, "Il sito web del Supremo Consiglio Superiore della Magistratura italiano non è sopravvissuto al nostro attacco," which translates to "The website of the Italian Supreme Council of the Judiciary did not survive our attack." This declaration served as their public claim of responsibility for the outage.

In response to the attack, the CSM implemented a mitigation technique known as geolocking, also referred to as geoblocking. This security measure restricts access to online content based on the geographical location of the user. By enabling geolocking, the CSM aimed to limit the attack's potency by blocking traffic originating from outside a specified geographic area, thereby reducing the number of malicious bots from the global botnet that could reach and target the server. An analysis conducted using the check-host service at 22:07 on April 19, 2023, confirmed that the web server was no longer reachable from outside Italy, though accessibility from within the country was also reported as inconsistent. This confirmed the activation of the geolocking countermeasure.

The implementation of geolocking was characterized as a temporary mitigation strategy rather than a definitive solution. While effective in immediately reducing the volume of malicious traffic by cutting off foreign sources, it also had the collateral effect of blocking legitimate users located outside of Italy from accessing the website. The article noted that a more permanent solution would involve the activation of specialized security appliances like Web Application Firewalls (WAF) or the utilization of content delivery networks (CDN) with integrated DDoS protection services, such as those offered by Akamai or Cloudflare. These solutions are designed to filter incoming traffic, identify and block malicious requests based on their content and behavior, and efficiently manage connections without relying solely on geographic restrictions.

The incident was part of a broader pattern of attacks by NoName057(16) against Italian targets. The group had previously conducted several DDoS campaigns against both public institutions and private entities within the country. The attack on the CSM, a key judicial governing body, underscored the group's focus on high-profile public sector targets to achieve maximum disruptive impact and publicity. The consequences of the attack were primarily operational, resulting in a service interruption that hindered public access to the council's online resources. The full extent of the disruption, including its duration and any potential data-related impacts, was not detailed in the provided source material. The technical response was focused on network-level containment to restore availability, with the geolocking serving as the immediate and primary documented response action taken to counteract the DDoS flood.