Cyber Incident Victim: Ministero delle Infrastrutture e dei Trasporti

On or around April 19, 2023, the website of the Italian Supreme Council of the Judiciary (Consiglio Superiore della Magistratura) was subjected to a cyber attack. The pro-Russian hacker group known as NoName057(16) claimed responsibility for this incident. The group publicly declared its support for the Russian Federation in March 2022 following the start of the war between Ukraine and Russia. They are known for claiming responsibility for cyber attacks against countries including Ukraine, the United States, and various European nations. Within the context of Italy, the group had previously carried out several Distributed Denial of Service (DDoS) campaigns against both public targets, such as government and institutional websites, and private entities. The group maintains a Telegram channel with over 30,000 followers, which they use to publicize their activities and list new victims. It was on this channel that they posted a message stating that the Italian Supreme Council of the Judiciary's website had not survived their attack.

The specific type of attack employed against the website was identified as a Slow HTTP attack, also known as an HTTP Slowloris attack. This form of attack exploits a vulnerability in how a web server manages HTTP connections. The attacker sends a series of partial HTTP requests to the target server but never completes them. This causes the server to keep the connections open while waiting for the requests to be completed, which it never receives. By repeating this process across many simultaneous connections, the attacker can consume all of the server's available connections with minimal bandwidth usage on their part. This effectively prevents the server from processing legitimate requests from actual users, leading to a denial of service. This technique is particularly effective against web servers with limited bandwidth or processing capacity.

In response to the attack, the administrators of the affected website implemented a mitigation technique known as geolocking, or geoblocking. This technique restricts access to online content based on the geographical location of the user attempting to connect. By enabling geolocking, access to the website was blocked for all users and systems located outside of Italy. This action was confirmed through an analysis using the check-host service performed at 22:07 on April 19, 2023, which found the web server was unreachable from outside Italy, though accessibility from within the country was also inconsistent. The primary purpose of implementing geolocking in this scenario was to reduce the attack power of the malicious bots participating in the DDoS campaign, as many of these infected computers are typically located in various countries around the world. While this measure effectively blocks malicious traffic from foreign locations, it also has the collateral effect of blocking legitimate users and clients who are located outside the permitted geographical area.

The implementation of geolocking was characterized as a temporary mitigation measure rather than a definitive solution. The article suggests that more permanent solutions would involve the activation of specialized security appliances such as Web Application Firewalls (WAF), which can filter incoming requests based on their content and behavior. A WAF can be configured to detect and block Slow HTTP requests based on their size or frequency. Alternatively, or in conjunction with a WAF, employing a Content Delivery Network (CDN) service from providers like Akamai or CloudFlare was cited as a more robust solution. These services offer DDoS mitigation capabilities by filtering incoming traffic and blocking malicious requests before they reach the target server. Other technical mitigations for a Slow HTTP attack include reducing the connection timeout on the web server, which forces the server to close inactive connections more quickly, thereby freeing up system resources. Another method is limiting the number of connections permitted from a single IP address, which reduces the number of connections an individual attacker can establish simultaneously. Using a reverse proxy was also mentioned as a potential solution, as it can process requests more efficiently and manage connections before they reach the primary web server.

The incident resulted in a service interruption, making the website unavailable to users. The scope of the impact was extended by the defensive response, as the geolocking measure prevented access for all users outside of Italy, regardless of whether their intent was legitimate or malicious. The attack is consistent with the group's stated pattern of conducting DDoS operations against Italian public and institutional targets as part of its broader hacktivist campaign in support of Russian geopolitical interests. The consequences of such an attack typically include an interruption of online services, preventing users from accessing websites or web applications, and can be used to damage the reputation of the target or for political and ideological purposes. The group's use of a Telegram channel to claim credit serves to publicize their actions and amplify the perceived impact of the attack.