Cyber Incident Victim: Iccrea Banca
Date:
Feb 2025
Location:
Italy
Summary
An alleged pro-Russian hacker group, Noname057(16), launched a cyberattack targeting approximately twenty Italian websites, including major banks and Milan's airports. Among the financial institutions affected was Iccrea Banca, which reported no disruptions from the incident. The attack, which did not cause major operational impacts, was attributed by Italy's cybersecurity agency to retaliation for recent political statements comparing Russia's war in Ukraine to Nazi Germany's expansionism. The same group had previously claimed responsibility for another attack on Italian institutional websites. While other targeted entities such as Intesa Sanpaolo and the airport management company SEA declined to comment, the overall impact remained limited, with no significant service interruptions reported.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On February 17, 2025, Italy's cybersecurity agency reported that approximately twenty Italian websites were targeted in a coordinated cyberattack attributed to the pro-Russian hacker group Noname057(16). The assault specifically included the online platforms of major financial institutions such as Intesa Sanpaolo, Banca Monte dei Paschi, and Iccrea Banca, alongside the websites for Milan's Linate and Malpensa airports. The agency directly linked the timing and motivation for these attacks to recent diplomatic tensions, following a statement by Italian President Sergio Mattarella that compared Russia's war on Ukraine to the expansionism of Nazi Germany prior to World War II. According to the cybersecurity agency, the hacker group explicitly cited President Mattarella's remarks as the impetus for their operation. The attacks were described as not causing major disruption to the targeted services or underlying infrastructure. A spokesperson for Iccrea Banca confirmed to Reuters that the bank experienced no disruptions as a result of the incident. The management company for Milan's airports, SEA, and Intesa Sanpaolo both declined to provide comment when approached by the news outlet. Banca Monte dei Paschi did not immediately respond to a request for comment regarding the attack on its systems.
The incident represents a continuation of activity by the Noname057(16) group against Italian digital assets, as the same collective had previously claimed responsibility for a separate cyber operation in December 2024. That earlier attack targeted around ten Italian institutional websites. The February 2025 attacks were characterized by the cybersecurity agency as a distributed campaign against high-profile, publicly accessible web properties rather than an intrusion aimed at internal banking systems or critical airport operations. The primary apparent impact was the temporary unavailability or defacement of the public-facing websites, though the specific technical method employed, such as a distributed denial-of-service (DDoS) attack or website defacement, was not detailed in the agency's public statement. The swift public attribution by Italy's national cybersecurity body framed the event as a politically motivated act of digital protest aligned with Russian geopolitical narratives. The responses from the affected private entities varied, with Iccrea Banca being the only one to issue a direct confirmation of operational continuity, while others opted for non-engagement with the media. The agency's report concluded that while the scale was notable, the attacks remained within a pattern of disruptive but non-destructive cyber activities intended for symbolic effect rather than systemic damage.