A Vatican website crash last week bears the hallmarks of a cyberattack, security experts say, highlighting the Vatican’s online exposure to the prospect of interference from malicious actors.
Most of the Vatican’s website crashed Nov. 19, and remained unavailable for several days in some parts of the world.
While the Vatican has not confirmed the origin of the issue, Vatican spokesman Matteo Bruni gave indication over the weekend that Vatican officials themselves suspect an attack on their web servers.
Bruni said over the weekend that there was an “abnormal number of interactions” on the servers, which, in combination with the countermeasures used, led to the current issues on the servers.
Experts believe that the abnormal number of interactions is consistent with a DDoS attack, although the source of such an attack is unclear. At the Vatican, some have suspected that a cyberattack might have been timed to coincide with the Nov. 20 Vatican visit of Ukraine’s First Lady Olena Zelenska.
If the site crash was a cyberattack, it would be the latest in a large series of politically-motivated cyber attacks against the Vatican.
In 2015, the personal data of Vatican radio journalists and the Vatican’s website was hacked twice by hacking group Anonymous.
In 2018, both the Vatican and the Diocese of Hong Kong were affected by supposedly Chinese regime-backed hackers RedDelta ahead of talks to renew a provisional agreement on episcopal appointments.
In 2022, the Vatican’s website went down a day after the Pope criticized Russia’s invasion of Ukraine.
Theresa Payton, a former White House technology director, told The Pillar this week that the Vatican’s remarks on the subject indicate what kind of attack might have disabled the site.
“The phrase ‘abnormal number of interactions’ strongly hints at automated bot activity, which may include a distributed denial-of-service (DDoS) attack aimed at overwhelming the Vatican’s servers,” said Payton, who is CEO of Fortalice Solutions and was White House chief information officer between 2006 and 2008,
“This kind of disruption could be a ruse to conduct a separate physical or digital attack,” she explained.
A DDoS attack proceeds by automatically directing a large number of requests to a server until the server collapses. Cybersecurity experts usually compare it to a phone getting too many calls at the same time, leading to its collapse.
“Another possibility is they may have observed a surge in failed login attempts, possibly from brute-force bot attacks, which aim to crack passwords and gain unauthorized access,” Payton added.
DDoS attacks are usually conducted through bots that lead a server to crash due to the volume of requests. Their goal is not to access private information but to simply crash a website to prevent users from using it.
“Usually, DDOS attacks are from either nation-states or organized criminal gangs that operate with their blessing. With AI tools, DDOS attacks could be done by non-affiliated hackers if they were sophisticated,” Charles Brooks, a former DHS official and professor of cybersecurity at Georgetown University told The Pillar.
Brooks led a group of Catholic cybersecurity experts which urged the Holy See to create a ‘Vatican Cyber Security Authority’ in May 2023 as they were concerned about weaknesses in the Vatican's digital infrastructure.
Although DDoS attacks usually come from large-scale cyber attacks, many experts believe that in the Vatican’s case, it is hard to pin down the source of the attacks because of how vulnerable the web servers are.
Andrew Jenkinson, CEO of British cybersecurity firm CIP, told The Pillar that he has been trying to warn the Holy See of their cybersecurity vulnerabilities since at least 2020.
Jenkinson showed The Pillar an analysis of the critical servers of the Vatican which were flagged as insecure and said the DNS (Domain Name System) was exposed.
“When we tried to assist in 2020 and 2021, over 90% of their websites were showing as Not Secure. There is no excuse for such basic security failures,” Jenkinson told The Pillar.
Jenkinson believes that such vulnerabilities mean that it is hard to know the source of the attacks, as the attacker would not need to mount a large-scale operation to execute the attack.
Jenkinson had warned the Vatican about their cybersecurity issues since 2020, while a report from Insikt Group, the research arm of the U.S.-based cybersecurity company Recorded Future published a report that same year calling out "a cyberespionage campaign [against the Vatican] attributed to a suspected Chinese state-sponsored threat activity group," which they referred to as RedDelta.
In an apparent response to previous attacks, in July 2024, the Directorate of Security and Civil Protection Services of the Governatorate of the Vatican and the Italian Agency for National Cybersecurity (ACN) signed a Memorandum of Understanding on the exchange of information, training activities and cyber security projects to enhance technical and scientific skills and expertise in the prevention of cyber-crime risk.
However, Jenkinson believes tha tthe Vatican continued to act with negligence.
“These websites are not secure, which means they can be easily hacked. The Vatican unknowingly have back doors into their websites and totally ignored what I told them over 4 years ago,” Jenkinson told The Pillar.
“DDoS attacks exploit DNS and the Vatican’s DNS records and servers are totally exposed,” he added. “We must stop letting organisations play the victim when their clear negligence enables and facilitates cybercrime. They are all but complicit.”
A professional hacker who wished to remain anonymous told The Pillar that DDoS attacks are relatively common.
“I cannot discard that this could come from a government or a criminal group, but I would take it with a grain of salt. Anyone with enough resources can execute a DDoS attack, especially if the Vatican’s servers are so vulnerable,” he said.
“One of the most basic protections for a DNS is usually an intermediary between the website you access and the server so this intermediary ‘changes’ and does not directly show the address of the server. Cloudflare is perhaps the most famous intermediary service provider,” he added.
However, according to various cybersecurity experts contacted by The Pillar, the Vatican’s servers did not have any intermediaries to protect its DNS, making such an attack way simpler.
“If the Vatican had protected its DNS, it would be quite likely that such an attack could only be conducted by an intelligence agency or a criminal group because it’s way more complex to execute,” the hacker added.
“If the DNS is exposed, namely, if it does not have these intermediaries, then, with simple requests you have access to the address of the server and orchestrate an attack, even with only basic equipment,” he said.
Once the DNS is exposed, all a cybercriminal needs to conduct an attack is several computers that automatically send the requests and crash the website.
“Here, understand computer in the broad sense: basically anything with an internet connection. There have been cyberattacks in which compromised smart fridges were used. You don’t really need to have all these computers yourself, but many hackers infect other computers with viruses to use them as “zombies” to make these requests in a coordinated manner. The owner of the computer being hacked to make the requests wouldn’t even notice, perhaps he’d think his computer is slightly slow, but that’s it.” he said.
“So, this needs some preparation and sophistication, but it isn’t really rocket science,” he added.
Asked what would be needed to launch such an attack, the hacker said “Just computers to make the requests. The hardest part here is to know how many requests you need to crash the website. The attacker usually doesn’t know because it depends on the technical features of the victim’s servers. This is why these attacks happen when you’ve compromised hundreds of thousands or millions of computers for the attack.”
“Usually very basic servers can crash with 1000-2000 requests, which is something you can achieve with less than 100 computers,” he added.
“Now, I don’t really know the specifics of the Vatican’s servers, but I wouldn’t think it’s that sophisticated if it doesn’t even have an intermediary.”
The Vatican press office nor the Gendarmerie could be reached for comment by the time of publication.