In the last days of 2024, Italy faced a series of significant cyber attacks, mainly of the Distributed Denial of Service (DDoS) type, which temporarily rendered several institutional and corporate sites inaccessible. These attacks, claimed by the pro-Russian group Noname057(16), affected critical infrastructures and major companies in the country.
Attack history
- 28 December 2024: Around ten official Italian websites, including that of the Ministry of Foreign Affairs and the two Milan airports (Linate and Malpensa), were temporarily disabled due to a cyber attack. The pro-Russian group Noname057(16) claimed the attack, calling it a response to Italian ‘Russophobes’.
- 29 December 2024 – the following targets were made unavailable:
- mappastorica.intesasanpaolo
- internationalhistory.intesasanpaolo.com
- property.intesasanpaolo
- port.taranto
- asisp.intesasanpaolo.com
- porto.trieste, the sinfomar vehicle loading and unloading management software
- Vulcanair (Italian aircraft manufacturer), including the online shop and authorisation portal cpanel.
- 30 December 2024 – attacks hit the:
- Ministry of Infrastructure and Transport
- Ministry of Economic Development
- Carabinieri Organisation of Italy
- Intesa Sanpaolo S.p.A.
- Acqua Novara and Acque Veronesi.
Through a network of dedicated Telegram channels, the group spreads its narrative, claiming attacks and mobilising a following that is actively involved.
Analysis of attacks
DDoS attacks aim to overload target servers with huge amounts of traffic, making services inaccessible to legitimate users. Although these attacks do not cause permanent damage to infrastructure, they can temporarily disrupt essential services, causing significant disruption. The rapid response of the National Cybersecurity Agency allowed the effects of the attacks to be mitigated in less than two hours, limiting the impact on critical operations.
Responding to journalists in the Senate, Foreign Minister Antonio Tajani announced: ‘I have already mandated the secretary general of the Farnesina to prepare a reform of the ministry to create a directorate general to deal with cybersecurity and artificial intelligence’.
Defending against DDoS
Modern DDoS mitigation strategies employ advanced technologies to filter anomalous traffic at different OSI levels. Real-time analysis of data flows enables the identification and neutralisation of malicious requests, ensuring the continuity of critical services.
Key solutions include traffic scrubbing (intelligent traffic filtering), CDN (Content Delivery Network) for geographic distribution of content and reducing the impact of localised attacks, and Rate Limiting and WAF (Web Application Firewall) mechanisms for network and application-level protection.
What we learnt
We analyse the main lessons learnt and the subsequent recommendations to strengthen the resilience of corporate infrastructures.
1) Complexity and polymorphism of attacks
DDoS attacks have evolved, becoming more complex and polymorphic. They are no longer limited to simple traffic flooding, but exploit amplification techniques, application layer attacks (Layer 7) and increasingly sophisticated IoT botnets. It is essential to implement active real-time monitoring and response systems to detect anomalous activity and respond promptly to potential threats.
2) Exploitation of vulnerabilities
Attackers continue to exploit vulnerabilities in devices, exposed servers and misconfigurations to orchestrate large-scale attacks. Protocols such as DNS, NTP and memcached are often abused to amplify malicious traffic. A strict patch management and system hardening policy must be adopted, disabling unnecessary services and implementing granular access controls. Constantly monitor the attack surface and conduct regular vulnerability assessments and penetration tests.
3) Targeted targeting and different motivations
DDoS attacks are not always random. They are often targeted at specific sectors (e.g. financial, government, e-commerce) and may be motivated by extortion, unfair competition, hacktivism or geopolitical conflicts. Organisations must develop and regularly test incident response plans that include escalation and communication procedures and ensure effective management during attacks.
4) Importance of cyber resilience
Resilience and the ability to ensure business continuity are crucial to minimise the impact on business in the event of a DDoS attack. It is important to implement redundancy and failover mechanisms, both at the infrastructure and application levels. Regularly test the disaster recovery and business continuity plan, simulating DDoS attack scenarios to identify any gaps. Network segmentation and the implementation of a zero-trust model help to contain the damage.
5) The need for a holistic security strategy
Protection from DDoS attacks is not an isolated issue, but part of a broader cybersecurity strategy. It requires a holistic approach that integrates different security measures, sharing information between government agencies, private companies and cybersecurity specialists, and investing in cybersecurity training for staff to reduce the risk of compromise through social engineering techniques, increasing the overall resilience of the organisation.
In conclusion
The prevention and mitigation of DDoS attacks require a proactive, multi-layered and evolving approach that takes into account the new tactics of attackers and the specific needs of each organisation. In a multifaceted cyber threat space, it is crucial that organisations strengthen their defences and prepare in advance to respond effectively to any future attacks.
Analysis by Vasily Kononov – Threat Intelligence Lead, CYBEROO
