On December 28, 2024 a wave of distributed denial of service activity took down or disrupted roughly ten Italian public facing websites, including the Foreign Ministry and Milan’s Malpensa and Linate airport portals. Italian cyber authorities characterized the incident as a DDoS that was mitigated within a short window and said a pro‑Russian group claiming the operation posted responsibility on Telegram.
The group that claimed the action, NoName057(16), follows a well established pattern observed since 2022: politically motivated, low sophistication but high disruption volume attacks that are timed to public statements or policy moves perceived as hostile to Russian interests. These operations are often announced on Telegram and intended to create visible friction rather than to conduct data theft or persistent intrusions.
Labeling these strikes as simple nuisance DDoS events understates their operational utility for the attacker. For pro‑Russian hacktivist collectives the return on investment is clear. DDoS tools and rented or coerced botnets allow rapid, repeatable campaigns that force defenders to consume time and budget on emergency response. Public claims of responsibility amplify political messaging and can deter or complicate diplomatic posturing even when operational impact on core services is limited. Reporting from Italian authorities and independent outlets shows flights and core airport operations were not disrupted in this incident, but public trust and administrative burden rose as agencies scrambled to restore normal web access.
Technical characteristics across past NoName057(16) operations and similar campaigns point to recurring patterns defenders should treat as indicators. Attacks target government ministries, transport and logistics websites, banking portals and media outlets. The vector is overwhelmingly volumetric HTTP and connection exhaustion floods aimed at web front ends and content delivery points. Claims are staged on Telegram and occasionally accompanied by release of small helper tools or lists of targeted domains to encourage sympathetic participants. This playbook yields high visibility at low forensic cost to the attackers.
From an operational defence perspective the necessary changes are straightforward but require consistent investment. First, infrastructure owners must assume availability attacks will continue and build default resilience: use layered DDoS protection including CDN fronting, global scrubbing centres, and rate limiting tuned to normal traffic baselines. Second, critical services should separate public informational sites from operational control and passenger facing systems so that a web outage does not cascade into kinetic or safety systems. Third, telemetry and threat intelligence sharing between private operators, the national cyber agency, and international partners must be fast and automated to enable filter signatures to propagate during the first minutes of an attack. The Italian agency response in December 2024, which reportedly contained impact within a couple of hours, demonstrates the value of quick, coordinated mitigation.
Policy and deterrence also matter. Attribution is noisy for DDoS campaigns, yet repeated public claims tied to political events create a narrative that can be addressed through diplomatic channels, sanctions, or targeted takedowns of supporting infrastructure when legal authorities can act. National strategies should combine robust operational posture with clear consequence regimes so that the political messaging value for attackers is reduced. Coordination between aviation regulators, transport operators, and national cyber authorities is especially important since these targets are attractive precisely because they are public facing and newsworthy.
Looking forward, defenders must anticipate two trends. One, low barrier automated toolkits and Telegram amplified recruitment will continue to make DDoS campaigns an inexpensive option for geopolitically motivated actors. Two, attackers will increasingly combine volumetric noise with probing traffic aimed at identifying secondary weaknesses in self service portals, third party APIs, and identity management flows. That convergence raises the stakes beyond availability alone. Investing in resilient architecture, rapid incident playbooks, and continuous red teaming will blunt the strategic utility of these operations. The December incident should be seen as a reminder that hybrid conflict spans both digital and physical domains and that visible but contained outages are often the precursor to more complex campaigns if defenses are not hardened.
For defenders and policymakers the immediate priorities are pragmatic. Harden public facing endpoints, formalize rapid information sharing channels, isolate operational control systems from public web layers, and develop legal pathways to disrupt hostile DDoS infrastructure. For security teams the guidance is familiar but urgent: rehearsed playbooks, telemetry that reaches the right people fast, and investment in scrubbing and CDN partners who can absorb spikes. Those steps will not stop every claim or every temporary outage, but they will reduce the political leverage these attacks deliver to actors seeking to sway opinion or punish diplomatic positions.