A Vatican website crash last week bears the
hallmarks of a cyberattack, security experts say, highlighting the
Vatican’s online exposure to the prospect of interference from malicious
actors.
Most of the Vatican’s website crashed Nov. 19, and remained unavailable for several days in some parts of the world.
While
the Vatican has not confirmed the origin of the issue, Vatican
spokesman Matteo Bruni gave indication over the weekend that Vatican
officials themselves suspect an attack on their web servers.
Bruni said
over the weekend that there was an “abnormal number of interactions” on
the servers, which, in combination with the countermeasures used, led
to the current issues on the servers.
Experts
believe that the abnormal number of interactions is consistent with a
DDoS attack, although the source of such an attack is unclear. At the
Vatican, some have suspected that a cyberattack might have been timed to
coincide with the Nov. 20 Vatican visit of Ukraine’s First Lady Olena
Zelenska.
If the site crash was a
cyberattack, it would be the latest in a large series of
politically-motivated cyber attacks against the Vatican.
In 2015, the personal data of Vatican radio journalists and the Vatican’s website was hacked twice by hacking group Anonymous.
In
2018, both the Vatican and the Diocese of Hong Kong were affected by
supposedly Chinese regime-backed hackers RedDelta ahead of talks to
renew a provisional agreement on episcopal appointments.
In 2022, the Vatican’s website went down a day after the Pope criticized Russia’s invasion of Ukraine.
Theresa Payton, a former White House technology director, told The Pillar this week that the Vatican’s remarks on the subject indicate what kind of attack might have disabled the site.
“The
phrase ‘abnormal number of interactions’ strongly hints at automated
bot activity, which may include a distributed denial-of-service (DDoS)
attack aimed at overwhelming the Vatican’s servers,” said Payton, who is
CEO of Fortalice Solutions and was White House chief information
officer between 2006 and 2008,
“This kind of disruption could be a ruse to conduct a separate physical or digital attack,” she explained.
A
DDoS attack proceeds by automatically directing a large number of
requests to a server until the server collapses. Cybersecurity experts
usually compare it to a phone getting too many calls at the same time,
leading to its collapse.
“Another
possibility is they may have observed a surge in failed login attempts,
possibly from brute-force bot attacks, which aim to crack passwords and
gain unauthorized access,” Payton added.
DDoS
attacks are usually conducted through bots that lead a server to crash
due to the volume of requests. Their goal is not to access private
information but to simply crash a website to prevent users from using
it.
“Usually, DDOS attacks are from
either nation-states or organized criminal gangs that operate with their
blessing. With AI tools, DDOS attacks could be done by non-affiliated
hackers if they were sophisticated,” Charles Brooks, a former DHS
official and professor of cybersecurity at Georgetown University told The Pillar.
Brooks led a group of Catholic cybersecurity experts which urged the Holy See to create a ‘Vatican Cyber Security Authority’ in May 2023 as they were concerned about weaknesses in the Vatican's digital infrastructure.
Although
DDoS attacks usually come from large-scale cyber attacks, many experts
believe that in the Vatican’s case, it is hard to pin down the source of
the attacks because of how vulnerable the web servers are.
Andrew Jenkinson, CEO of British cybersecurity firm CIP, told The Pillar that he has been trying to warn the Holy See of their cybersecurity vulnerabilities since at least 2020.
Jenkinson showed The Pillar
an analysis of the critical servers of the Vatican which were flagged
as insecure and said the DNS (Domain Name System) was exposed.
“When
we tried to assist in 2020 and 2021, over 90% of their websites were
showing as Not Secure. There is no excuse for such basic security
failures,” Jenkinson told The Pillar.
Jenkinson
believes that such vulnerabilities mean that it is hard to know the
source of the attacks, as the attacker would not need to mount a
large-scale operation to execute the attack.
Jenkinson
had warned the Vatican about their cybersecurity issues since 2020,
while a report from Insikt Group, the research arm of the U.S.-based
cybersecurity company Recorded Future published a report that same year
calling out "a cyberespionage campaign [against the Vatican] attributed
to a suspected Chinese state-sponsored threat activity group," which
they referred to as RedDelta.
In an apparent response to previous attacks, in July 2024, the
Directorate of Security and Civil Protection Services of the
Governatorate of the Vatican and the Italian Agency for National
Cybersecurity (ACN) signed a Memorandum of Understanding on the exchange
of information, training activities and cyber security projects to
enhance technical and scientific skills and expertise in the prevention
of cyber-crime risk.
However, Jenkinson believes tha tthe Vatican continued to act with negligence.
“These
websites are not secure, which means they can be easily hacked. The
Vatican unknowingly have back doors into their websites and totally
ignored what I told them over 4 years ago,” Jenkinson told The Pillar.
“DDoS
attacks exploit DNS and the Vatican’s DNS records and servers are
totally exposed,” he added. “We must stop letting organisations play the
victim when their clear negligence enables and facilitates cybercrime.
They are all but complicit.”
A professional hacker who wished to remain anonymous told The Pillar that DDoS attacks are relatively common.
“I
cannot discard that this could come from a government or a criminal
group, but I would take it with a grain of salt. Anyone with enough
resources can execute a DDoS attack, especially if the Vatican’s servers
are so vulnerable,” he said.
“One of the
most basic protections for a DNS is usually an intermediary between the
website you access and the server so this intermediary ‘changes’ and
does not directly show the address of the server. Cloudflare is perhaps
the most famous intermediary service provider,” he added.
However, according to various cybersecurity experts contacted by The Pillar, the Vatican’s servers did not have any intermediaries to protect its DNS, making such an attack way simpler.
“If
the Vatican had protected its DNS, it would be quite likely that such
an attack could only be conducted by an intelligence agency or a
criminal group because it’s way more complex to execute,” the hacker
added.
“If the DNS is exposed, namely, if
it does not have these intermediaries, then, with simple requests you
have access to the address of the server and orchestrate an attack, even
with only basic equipment,” he said.
Once
the DNS is exposed, all a cybercriminal needs to conduct an attack is
several computers that automatically send the requests and crash the
website.
“Here, understand computer in
the broad sense: basically anything with an internet connection. There
have been cyberattacks in which compromised smart fridges were used. You
don’t really need to have all these computers yourself, but many
hackers infect other computers with viruses to use them as “zombies” to
make these requests in a coordinated manner. The owner of the computer
being hacked to make the requests wouldn’t even notice, perhaps he’d
think his computer is slightly slow, but that’s it.” he said.
“So, this needs some preparation and sophistication, but it isn’t really rocket science,” he added.
Asked
what would be needed to launch such an attack, the hacker said “Just
computers to make the requests. The hardest part here is to know how
many requests you need to crash the website. The attacker usually
doesn’t know because it depends on the technical features of the
victim’s servers. This is why these attacks happen when you’ve
compromised hundreds of thousands or millions of computers for the
attack.”
“Usually very basic servers can
crash with 1000-2000 requests, which is something you can achieve with
less than 100 computers,” he added.
“Now,
I don’t really know the specifics of the Vatican’s servers, but I
wouldn’t think it’s that sophisticated if it doesn’t even have an
intermediary.”
The Vatican press office nor the Gendarmerie could be reached for comment by the time of publication.