Cyber Incident Victim: Ministero delle infrastrutture e della mobilità sostenibili

On or around April 29, 2023, the pro-Russian hacktivist group known as NoName057(16) executed a cyber attack against the Italian Ministero delle infrastrutture e della mobilità sostenibili (MIMS), which was also referred to as the Ministero delle infrastrutture e dei trasporti in the reporting. The group employed a Distributed Denial of Service (DDoS) attack technique against the ministry's web portal. This incident was part of a broader campaign by the group against Italian organizations, which had begun the previous week with attacks targeting the Italian banking sector, including entities such as Medio Banca, BPS, and the Ministero dell’Economia e delle Finanze, as well as Generali, Unipol, Sace, Sella personal Credit, and Fingenia.

The attack on the transportation ministry was publicly claimed by NoName057(16) through their Telegram channel, which had over 30,000 followers at the time. The group used the channel to announce their activities and taunt their targets. In their post concerning MIMS, the group used mocking language, asking "C'è qualcosa che funziona in Italia?😂" ("Is there anything that works in Italy?😂"). They justified their attack by referencing Italy's support for Ukraine, specifically claiming that 20 M109L self-propelled artillery units provided by Italy to Ukraine were defective and not battle-ready. Following the DDoS attack, the group claimed the ministry's website responded by blocking access from foreign IP addresses, a mitigation technique known as geolocking.

The impact of the attack was observed and verified by external cybersecurity monitors. As of 22:54 Italian time on April 30, 2023, the website of the ministry was reported to be not consistently reachable. The geolocking measure was confirmed to be active at that time, effectively blocking access to the site for users with IP addresses originating from outside Italy. This action successfully mitigated the immediate availability attack but resulted in a loss of service for international visitors. The group also claimed a simultaneous attack on the website of Italy's Transport Regulation Authority (ART), which they stated also became non-functional. The group further claimed that administrators of the ART site had also preemptively implemented IP blocking for foreign addresses upon intuiting the attack.

The primary technique used was a DDoS attack, which is designed to overwhelm a target server with a massive volume of traffic from a distributed network of compromised devices, or botnet, rendering it unable to respond to legitimate requests. The reporting also provided extensive general background on a specific subtype of DDoS known as a Slow HTTP attack (or HTTP Slowloris), though it did not explicitly confirm this was the specific method used in this particular incident against MIMS. A Slow HTTP attack functions by exploiting how web servers manage connections, where the attacker initiates many HTTP requests but deliberately sends them very slowly or leaves them incomplete. This forces the server to keep these connections open while waiting for the requests to finish, eventually consuming all available concurrent connections and preventing legitimate users from accessing the service.

The defensive response from the ministry's administrators was the implementation of geolocking. This is a common reactive measure to DDoS attacks that originate primarily from foreign IP addresses. By blocking traffic based on geographical origin, the administrators sought to filter out a significant portion of the malicious attack traffic. While effective as an immediate containment action, the reporting cited this as a temporary mitigation rather than a definitive solution. The article suggested that more permanent solutions involve the deployment of Web Application Firewalls (WAF) or the use of Content Delivery Network (CDN) services from providers like Akamai or CloudFlare, which offer robust DDoS mitigation capabilities, though it was not confirmed if these were subsequently adopted by MIMS.

The consequences of the incident included a temporary disruption to the online availability of the ministry's web portal. The service interruption affected users attempting to access the site, particularly those located outside of Italy who were blocked by the geolocking measure. The incident did not involve a reported data breach or compromise of sensitive information; the impact was confined to service availability. The attack was characterized as an act of hacktivism, motivated by political and ideological support for the Russian Federation in the context of the ongoing conflict in Ukraine. The group's stated intent was to punish Italy for its support of Ukraine and to disrupt its governmental digital infrastructure. The incident served to demonstrate the continued targeting of European critical infrastructure by pro-Russian cyber groups following the invasion of Ukraine.