Cyber Incident Victim: Carabinieri
Date:
Apr 2023
Location:
Italy
Summary
The Italian Supreme Council of the Judiciary suffered a DDoS attack claimed by the pro-Russian hacker group NoName057(16). The group announced the success of their attack via their Telegram channel, stating the institution's website did not survive. In response, the victim implemented geolocking to restrict foreign access, a temporary mitigation that made the web server unreachable from outside Italy but did not constitute a definitive security solution.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around April 19, 2023, the Italian Superior Council of the Judiciary (Consiglio Superiore della Magistratura) was subjected to a cyber attack. The pro-Russian hacker group known as NoName057(16) claimed responsibility for this incident. The group publicly declared its support for the Russian Federation in March 2022 following the start of the war between Ukraine and Russia. It maintains a Telegram channel with over 30,000 followers, which it uses to publicize its activities and claim new victims. A post appeared on this channel stating that the website of the Italian Superior Council of the Judiciary had not survived their attack.
The attack was characterized as a Distributed Denial of Service (DDoS) attack. This type of attack involves a large number of compromised computers or devices, known as a botnet, simultaneously sending a massive volume of traffic to a target server. The objective is to saturate the server's bandwidth and resources, rendering it incapable of responding to legitimate user requests and causing an interruption of service. The specific technique employed in this attack was identified as a Slow HTTP attack, also known as HTTP Slowloris. This method exploits a vulnerability in how servers manage HTTP connections. The attacker sends a series of partial HTTP requests to the target server but never completes them. This causes the server to keep the connections open while waiting for the requests to be finished, thereby consuming its available connection resources and preventing it from processing legitimate traffic. This attack is particularly effective against servers with limited bandwidth or processing capacity and can be executed using minimal bandwidth on the part of the attacker.
In response to the attack, the administrators of the affected website implemented a mitigation technique known as geolocking, or geoblocking. This technique restricts access to online content based on the geographical location of the user. By enabling geolocking, access to the website was blocked for users located outside of Italy. This action was confirmed through an analysis using check-host.net at 22:07 on April 19, 2023, which showed the web server was unreachable from abroad but remained accessible, though not consistently, from within Italy. The primary purpose of implementing geolocking in this context was to reduce the attack's potency by cutting off a significant portion of the malicious botnet traffic originating from outside the country, thereby protecting the server from the flood of illegitimate requests.
The implementation of geolocking was described as a temporary mitigation measure rather than a definitive solution. While it effectively reduced the immediate impact of the DDoS campaign by filtering out foreign-based attack traffic, it also had the consequence of blocking legitimate international users from accessing the website's services. The article noted that a more permanent solution would involve the deployment of specialized security appliances or services, such as a Web Application Firewall (WAF), which can filter incoming requests based on their content and behavior to detect and block malicious activity like Slow HTTP attacks. Alternatively, employing Content Delivery Network (CDN) services from providers like Akamai or CloudFlare was cited as another definitive solution, as these services are designed to absorb and mitigate large-scale DDoS attacks before the traffic reaches the origin server.
The threat actor group, NoName057(16), has a history of conducting similar cyber operations. Since its inception, the group has claimed responsibility for DDoS attacks against numerous countries, including Ukraine, the United States, and various European nations. Within Italy, the group had previously carried out multiple DDoS campaigns against both public targets, such as government and institutional websites, and private entities. Their operations are typically motivated by hacktivism and are aligned with political or ideological support for the Russian Federation.
The immediate impact of the attack was the temporary unavailability of the Superior Council of the Judiciary's website for users outside of Italy. The availability for users within Italy was also reported as inconsistent following the implementation of the geoblocking countermeasure. A Denial of Service condition directly impacts the ability of an organization to provide information and services to its constituents, which for a judicial body can impede public access to important announcements, legal documents, or other resources typically hosted online. The response actions taken were purely technical and defensive, focused on containing the attack and restoring service availability for the primary user base within the country. The narrative provided does not detail any further long-term consequences, investigations, or additional recovery steps taken by the organization beyond the activation of geolocking. The incident serves as an example of the ongoing use of DDoS tactics by politically motivated groups to target critical public institutions.