Cyber Incident Victim: Consiglio Superiore della Magistratura
Date:
Apr 2023
Location:
Italy
Summary
The Supreme Judicial Council of Italy was targeted in a DDoS attack claimed by the pro-Russian hacker group NoName057(16). The attack rendered the institution's website inaccessible, prompting the activation of geolocking to mitigate the incident by blocking foreign traffic. This measure restricted access to users within Italy but was described as a temporary solution rather than a definitive one. The group publicized their claim of responsibility on their Telegram channel.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around April 18, 2023, the Supreme Judicial Council of Italy (Consiglio Superiore della Magistratura) was subjected to a cyber attack. The pro-Russian hacker group known as NoName057(16) claimed responsibility for this incident. The group publicly declared its support for the Russian Federation in March 2022 following the start of the war in Ukraine. It maintains a Telegram channel with over 30,000 followers, which it uses to publicize its activities and claim new victims. It was on this channel that the group posted a message stating, "Il sito web del Supremo Consiglio Superiore della Magistratura italiano non รจ sopravvissuto al nostro attacco," which translates to "The website of the Italian Supreme Council of the Judiciary did not survive our attack."
The attack executed against the council's web infrastructure was a Distributed Denial of Service (DDoS) attack. A DDoS attack is a type of cyber attack in which a large number of compromised computers, known as a botnet, are used to simultaneously send a massive volume of traffic to a target server. The objective is to saturate the server's bandwidth or resource capacity, rendering it unable to respond to legitimate user requests and causing a service interruption. In this specific case, the group employed a technique known as a Slow HTTP attack, also referred to as an HTTP Slowloris attack. This particular method exploits how web servers manage HTTP connections. The attacker initiates multiple connections to the target server and sends HTTP requests very slowly, often sending partial requests and never completing them. The server, waiting for the completion of these requests, keeps the connections open. This consumes the server's available connection slots, preventing it from accepting new legitimate connections and effectively making the service unavailable, all while the attacker uses minimal bandwidth.
The immediate impact of the attack was the unavailability of the Supreme Judicial Council's website. By 22:07 on April 19, 2023, analysis using the check-host tool confirmed that the web server was unreachable from outside Italy. Access from within Italy was also reported to be inconsistent and not always successful. This confirmed that the website had been successfully taken offline by the attack, fulfilling the attackers' stated goal.
In response to the attack, the administrators of the affected systems implemented a mitigation measure known as geolocking, also referred to as geoblocking. Geolocking is a technique used to restrict access to online content based on the geographical location of the user. In this context, it was configured to block all traffic originating from outside Italy. This action was taken to reduce the potency of the malicious attack by cutting off a significant portion of the botnet, which was likely distributed across many countries. By limiting access to a single geographic region, the number of malicious requests able to reach the server was drastically reduced. This measure successfully restored a degree of availability, allowing the website to be reached from within Italy, though intermittently.
The article characterizes the implementation of geolocking as a temporary mitigation rather than a definitive solution. While effective at immediately reducing the volume of attack traffic, it is not a comprehensive security measure. It also has the side effect of blocking legitimate users and traffic from outside the permitted geographic area, which can be detrimental for an institution that may need to provide information to a international audience. The article notes that more permanent solutions to such attacks include deploying Web Application Firewalls (WAF), which can filter malicious traffic based on request content and behavior, or utilizing Content Delivery Network (CDN) services like Akamai or CloudFlare, which offer built-in DDoS mitigation capabilities by absorbing and scrubbing traffic before it reaches the origin server.
The attacking group, NoName057(16), has a history of conducting similar campaigns. Since its inception, the group has claimed responsibility for cyber attacks against numerous countries, including Ukraine, the United States, and various European nations. Its operations against Italy have involved multiple DDoS campaigns targeting both public sector entities, such as government and institutional websites, and private sector organizations. The attack on the Supreme Judicial Council is presented as part of this ongoing series of disruptive activities aimed at Italian digital infrastructure. The group's motives are aligned with hacktivism, using cyber attacks to further political or ideological goals, in this case in support of the Russian Federation's interests.