The Russian-based cybercrime organisation NoName057(16) (referred to henceforth as NoName057) has recently launched a Distributed Denial-of-Service (DDOS) campaign against an Italian bank, Banca Intesa Sanpaolo, alongside a whole host of other organisations critical to Italy's financial infrastructure. This follows an attack made in 2023 against the Siena-based Banca Monte dei Paschi, another Italian bank.

These attacks are part of a broader campaign against Ukraine's international allies which not only targets Italy, but also other member states of the EU, the USA, and other countries. In the case of Italy, it seems a number of these more recent attacks may be connected to Italy's decision to extend its military support for Ukraine through 2025.

The group broadcasts proof of their attacks via Telegram, as shown below. On their group's page, they also repost the activities of other similarly-aligned hacktivist groups working in support of the Russian invasion.

Figure 1: Screenshots from NoName057's Telegram page from late 2024 and early 2025 declaring successful attacks against a number of Italian businesses, infrastructure and governmental departments.
(1a) Translation: "Italian resources are under attack - their policy will not go unanswered"	(1b) Translation: "The Russophobic government of Italy supports criminals, and we support cyber attacks"

Across two recent posts on Telegram, the NoName057 group lists a huge number of Italian victims whose roles range from administrative to financial:

This follows an attack made by the NoName057 group in 2023, once again against a number of critical Italian businesses, carried out in response to Italy's decision at the time as part of the Group of Seven (G7) to reaffirm their support for Ukraine. The attack originally began as a DDOS attack against Banca Monte dei Paschi quickly expanded to include Iliad Italia, Banca Popolare di Bari and the authorisation service of BPER Banca S.p.A.

Figure 2: Screenshot from NoName057's Telegram page from 2023 declaring attacks against Italian businesses

Translation: "A few more Italian portals didn't survive our attacks"

Why this is happening.

Let us begin with NoName057. This Russian "hacktivist" group has acted in full support of the Russian state's extraterritorial interests since its inception and - especially since the outbreak of war in Ukraine. Their weapon of choice, and which they are most infamous for, is DDOSing. NoName057 clearly has access to a large botnet  which they are able to leverage in their attacks. The goal in every attack is to overload a server with requests which causes it to crash. For example, whenever you visit a website, your browser requests the HTML hosted by the website in order to load the page. The server hosting the website sends that data to you, as well as anybody else who requests it, but servers can struggle when huge amounts of traffic comes in at once as happens in a DDOS attack, which can involve tens of thousands of devices making hundreds of millions of requests per second. This technique can not only be used to take down websites, but also servers that provide data exchange to mobile applications, databases and other critical internet infrastructure.

Figure 3: The logo of NoName057 used in their official statements, featuring the state animal of Russia, a brown bear, operating a laptop

In addition to weakening Ukraine, NoName057 aims to weaken the support for Ukraine. This puts Italy in the centre of the group's crosshairs, but they share the burden of these attacks with Ukraine's allies around the world: The UK, Germany, Switzerland, the USA, France - any believers and supporters of Ukrainian sovereignty.

In this article we have described NoName057 and their affiliates and partners as hacktivists - but consider for a moment that this may not be the case. Prolific ransomware groups such as Evil Corp have been exposed as inextricably linked to the Russian government through familial ties. The fact that so many of these groups exist and continue to carry out attacks in Russia's name, with seemingly no threat of consequence; the fact that extradition from Russia is impossible and that criminal activity against Russia's enemies appears permissible by the Russian government; might all suggest that this is not just a band of vigilantes carrying out some small-scale attacks.

The Wagner group, like these cybercrime groups, is also technically independent of the Russian government despite being a state-funded entity. But this suggestion of independence is total fantasy. The group is employed by Russia to ensure or enforce its international policies beyond its own borders in contexts where sending the Russian Armed Forces would constitute an act of war. Where the Wagner group operates as a proxy of the army, NoName057 and other groups operate as a proxy of Vympel and the KGB. What they claim as hacktivism is so clearly fueled with political motive, and so endangering of innocent parties, that it must simply be something else.

The members of NoName057 claim to be hacktivists, but their activities easily fit the definition of cyberwarfare or cyberterrorism.

What does this mean for Italian businesses?

DDOS attacks are usually short lived, however DDOS campaigns can involve repeat attacks that take place over several days and target servers during their busiest periods. As a victim of one of these attacks, you can expect your servers to be overloaded for a few seconds at a time, however the damage can be extensive and sometimes takes hours or days to resolve. As a business, your priorities will be to play out a mitigation strategy and a remediation strategy.

Mitigating DDOS attacks:

The first step in mitigating a DDOS attack is to ensure that detection of the attack is near-instant. These means that a company's ability to monitor traffic 24/7 is vital, especially if that company operates in a sector that makes them likely to be attacked. Banks, other financial institutions and businesses may find themselves particularly vulnerable to DDOS attacks, as well as other forms of cyberattack, and should be expected to have real-time monitoring of unusual web traffic in order to enable them to rapidly respond to an attack.

The response to a DDOS attacks usually comes in the form of harsher filtering of web traffic that renders the requests of botnet hosts denied by the server. This can involve filtering by origin, if a similarity is observed between the requests of this traffic (for example, by IP address), however since attackers often leverage botnets that are widely or globally distributed, this method can often be insufficient in repressing an attack.

Commonly, websites will employ a Client Puzzle Protocol (CPP) as a form of DDOS protection. This protocol is dissimilar from CAPTCHA, which readers will recognise these as the puzzles that are often required to access certain webservices, such as identifying a dog amongst a picture of cats, or selecting an object of the correct orientation. These puzzles require human work, reading your mouse movements or keyboard strokes and analysing them for human activity such as a stutter in mouse movement. CPP-layer solutions instead require the computer to provide a solution to a mathematical problem - the burden of work is placed on the computer rather than on the human. This small amount of extra compute power needed to satisfy the protocol's requirements provides just enough deterrent to greatly reduce the efficacy of large-scale DDOS attacks.

Companies may also to elect to use third party platforms to manage the web traffic to their servers. A third party can take care of a great deal of the mitigation strategies themselves. These are often referred to as provider-level mitigations and can include firewall providers, service providers and the content delivery network (CDN) providers - collectively referred to as mitigation service providers.

Remediating DDOS attacks:

After suffering a DDOS attack, a company needs to prioritise recovery, as well as ensure that no other attack has taken place. This can be as simple as restarting a crashed server, and can be as complex as identifying an infiltration amongst terabytes of other web traffic. While a server is out, the outage must be reported to service users - this is commonly achieved using social media and stresses the importance of having other ways of contacting your userbase besides through internally managed channels such as email or push notifications.

After suffering an attack, analysis may reveal vulnerabilities in the website that led to or exacerbated the strength of the attack. Consider website functionality that is comparatively expensive for the server to provide, such as a "search" function. Following a simple client-side request, the server must undertake a much more difficult task to search through its records and provide the results back to the client. As part of the remediation process, the company may prepare a version of the website to be employed during suspected attacks that has the "search" function, and other expensive functions, disabled - a version which can be deployed during suspected attacks. Alternatively, these functions can be rate-limited by IP address to prevent exploitation.

An infiltration of your system may also contribute to a DDOS as the attacker may be able to introduce vulnerabilities themselves without detection. Part of this remediation process should not only involve the implementation of new mitigation strategies against DDOSing, but also against network infiltration on the whole. This can involve the deployment of more stringent security procedures, training of staff in cybersecurity principles, and the use of more advanced threat detection services.

Conclusion

Italy has found itself in the crosshairs of NoName057, a Russian cybercrime outfit who target financial and administrative businesses with Distributed Denial-of-Service (DDOS) attacks. However, businesses targeted by this group can protect themselves with effective mitigation and remediation strategies. This involves maintaining contact with service users, identifying vulnerabilities and ensuring that preparations are made for future attacks.

These attacks are being waged as a result of Italy's stalwart support of Ukrainian sovereignty. They are carried out in the hopes that a dissatisfaction will breed amongst Italian businesses; a dissatisfaction that might put pressure on the Italian government to withdraw their support for their European ally. Server outages are not the goal of these attacks - it is fear. In this article, we hope we have made clear that with the correct preparation and response, there is little to be afraid of. The attackers cannot and will not win.

Sources

NoName057's Telegram Page

https://www.merriam-webster.com/dictionary/

https://www.securityinfo.it/2024/10/28/cert-agid-5-11-ottobre-intesa-sanpaolo-e-fortinet-sotto-attacco/

https://www.geopop.it/attacchi-hacker-in-italia-contro-siti-di-banche-e-aziende-chi-ce-dietro-e-cosa-sappiamo/

https://www.fanpage.it/innovazione/tecnologia/cosa-sappiamo-dellattacco-hacker-a-intesa-san-paolo-la-spiegazione-della-banca/

https://kyivindependent.com/italy-extends-military-support-to-ukraine-through-2025/

https://www.president.gov.ua/en/news/ugoda-pro-spivrobitnictvo-u-sferi-bezpeki-mizh-ukrayinoyu-ta-89245

https://www.arijuels.com/wp-content/uploads/2013/09/JB99.pdf

https://www.ncsc.gov.uk/collection/denial-service-dos-guidance-collection/a-minimal-denial-of-service-response-plan#section_4

https://www.cisa.gov/sites/default/files/2024-03/understanding-and-responding-to-distributed-denial-of-service-attacks_508c.pdf

The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.