The Internet of Medical Things (IoMT)

Italy targeted by multiple adversaries, new APT operations, latest developments in cybercrime

 View all
Cybersecurity

Operation Eastwood strikes NoName057(16), but does not stop him

Threat Discovery Telsy TS WAY Cyber Threat Intelligence

Threat Discovery is an editorial space dedicated to in-depth analysis in the field of global cyber threat intelligence.

The information reported is the result of the collection and analysis work carried out by the Threat Intelligence & Response team at Telsy for the TS-Intelligence platform.

Between July 14 and 17, 2025, Operation Eastwood was carried out against the pro-Russian hacktivist collective Noname057(16).

The operation was conducted with the coordination of Europol and Eurojust, the support of ENISA, and the contribution of authorities from France, Finland, Germany, Italy, Lithuania, the Netherlands, Poland, the Czech Republic, Spain, Sweden, Switzerland, and the United States. The investigations were also supported by Belgium, Canada, Denmark, Estonia, Latvia, Romania, and Ukraine. Technical assistance was provided by the nonprofit Shadowserver Foundation and the independent cyber threat intelligence project abuse[.]ch.

 

Operation Figures and Measures

Telsy_Europol contro NoName_numeriThe figures reported in Europol’s press release are as follows:

  • 2 arrests (one preliminary arrest in France and one in Spain)
  • 7 arrest warrants issued (6 by Germany and 1 by Spain)
  • 24 house searches (2 in the Czech Republic, 1 in France, 3 in Germany, 5 in Italy, 12 in Spain, 1 in Poland)
  • 13 individuals questioned (2 in Germany, 1 in France, 4 in Italy, 1 in Poland, 5 in Spain)
  • Over 1,000 supporters, including 15 administrators, were notified of their legal liability via a messaging app
  • Over 100 servers taken down worldwide

Italy participated through investigations conducted by the National Cybercrime Centre for the Protection of Critical Infrastructure (CNAIPIC), together with the Operational Centers of the Postal Police in Piedmont, Lombardy, Veneto, Friuli-Venezia Giulia, Emilia-Romagna, and Calabria, which contributed to the identification of five individuals believed to be affiliated with the collective.

The identities of five wanted individuals, reported by Germany, are listed on the eumostwanted[.]eu portal and the website of the German Bundeskriminalamt – BKA (Federal Criminal Police Office):

Telsy_Europol contro NoName_wanted

  • Andrey Muravyov (aka DaZbastaDraw): suspected of providing graphic materials, significantly contributing to the group’s visual design.
  • Maxim Nikolaevich Lupin (aka s3rmax): suspected of holding a senior position within the group, including the development of software for strategic pre-target reconnaissance and attack software.
  • Olga Evstratova (aka olechochek): suspected of being responsible for further optimizing the DDoSia attack software.
  • Mihail Evgenyevich Burlakov (aka darkklogo): suspected of playing a key role in the group, developing software for strategic target identification and attack, and managing payments for server leasing.
  • Andrej Stanislavovich Avrosimow (aka ponyashka): suspected of downloading the DDoSia attack software and significantly increasing the load of individual DDoS attacks by renting servers.

 

Claims of Responsibility

From August 2024 to mid-July 2025, the collective claimed nearly 4,500 DDoS attacks against targets in Ukraine and its allies, also impacting EU entities such as the European Economic and Social Committee, the European Bank for Reconstruction and Development, and several NATO organizations. Italian targets were hit more than 360 times. As usual, some websites were targeted multiple times, even weeks apart.

Countries targeted—besides Ukraine and Italy—include Australia, Austria, Belgium, Canada, South Korea, Denmark, Finland, France, Germany, Japan, India, Israel, Latvia, Lithuania, Norway, Netherlands, Poland, the United Kingdom, Czech Republic, Spain, Sweden, Switzerland, Taiwan, and the USA.

Among Italian victims were ministries, police forces and other defense-related entities, regional and municipal authorities, port authorities, airports, major industrial companies, banks, telecom providers, utility operators, and more.

DDoS attack claims continued during Operation Eastwood, with the publication of target lists from Italy (municipalities, ministries, telcos) and Germany (defense/military organizations), and even in the days immediately following.

The only exception was Wednesday, July 16, when Noname057(16) claimed to have gained access to two German infrastructures: the Federal Agency for Technical Relief (Technische Hilfswerk – THW) and drone manufacturer Quantum Systems.

 

The new Manifesto and retaliation

Telsy_Europol contro NoName_manifestoIn the days following July 17, claims temporarily ceased. However, they resumed on Wednesday, July 23, targeting Italy again after the collective published a Manifesto in Russian and English via their Telegram channels. In the text, Noname057(16) strongly reaffirms its motivations: defending Moscow’s interests against the specter of Nazism haunting Europe and opposing the deceitful, power-hungry Western elites.

The group also declares its allegiance to the values of:

Internationalism (“we strongly believe in the greatness of Russia on the international stage”)

Unity (“‘Russian’ is now an ideology. The ideology of a just world order and freedom”)

Brotherhood (“we will avenge every like-minded individual who has suffered due to the actions of authorities in countries hostile to Russia”)

Telsy_Europol contro NoName_bearThe Manifesto concludes with a call to arms to all “pro-Russian hackers” and “free shooters” who share the same mission.

The latest attacks are marked by hashtags such as #FuckEastwood, #OpGermany, #OpItaly, #OpEU, and #TimeOfRetribution. The latter explicitly calls for retaliation against anyone who has tried to oppose the collective.

 

TS-Intelligence

TS Intelligence_Telsy_Platform 2_LUG25This report was made possible with the support of TS-Intelligence, a proprietary, flexible, and customizable solution that provides organizations with a detailed risk landscape.

It is available as a web-based and full-API platform, designed to be integrated into the organization’s systems and defensive infrastructures, with the goal of enhancing protection against complex cyber threats.

The platform’s continuous research and analysis on threat actors and emerging online threats—whether APTs or cybercrime—produces a constant stream of exclusive intelligence, delivered in real time and structured into technical, strategic, and executive reports.

 

Discover more about our Intelligence services.