Cyber Incident Victim: Czech Republic
Date:
Apr 2022
Location:
Czechia
Summary
A pro-Russian threat group known as Killnet conducted distributed denial-of-service attacks against multiple critical infrastructure entities in the Czech Republic, disrupting railway operations, airport services, and government portals. The group's actions targeted NATO-aligned nations supporting Ukraine, with additional unverified claims of attacks on defense departments, commercial banks, and airports in Poland, Germany, the U.K., Estonia, and the U.S. Czech authorities attributed the incidents to Russian hackers but confirmed no data theft occurred. Killnet publicly justified its campaign as retaliation against countries providing military aid or refuge to Ukrainians, aiming to inflict maximum damage on adversaries' network infrastructure. Cybersecurity agencies have flagged the group as an emerging threat actor with ties to Russian geopolitical interests.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In mid-April 2022, pro-Russian threat group Killnet launched distributed denial-of-service attacks against multiple Czech critical infrastructure entities amid the Russia-Ukraine conflict. The Czech National Cyber and Information Security Agency (NCISA) reported severe DDoS attacks beginning April 18 targeting government portals, transportation systems, and airports. Czech Railways experienced sustained disruptions to its "My Train" mobile application, online ticket sales, and connection-finding services from April 19 onward, forcing spokesperson Lukáš Kubát to publicly address the operational impacts. Karlovy Vary Airport detected an attack on April 20 that flooded servers with excessive queries, though CEO Alice Undus confirmed domestic website accessibility remained intact without compromising air traffic safety. Simultaneously, Pardubice Airport's entire web system failed during the attack, though operations continued unaffected pending third-party security reviews. The NCISA's own website became unreachable from outside the Czech Republic on April 20, prompting the agency to tweet mitigation recommendations while combating the incident. Czech Interior Minister Vít Rakušan attributed these coordinated attacks to Russian hackers during an April 20 press conference, emphasizing no data theft occurred despite significant service disruptions affecting public administration portals for multiple days.
Killnet publicly claimed responsibility through its Telegram channel, listing additional unverified Czech targets including Brno-Turany Airport, Ostrava Airport, defense departments, banks, and telecom providers. The group, first observed in January 2022, demonstrated pro-Russian alignment through propaganda videos and explicitly stated objectives to damage NATO members supporting Ukraine. U.S. cybersecurity authorities had previously linked Killnet to a March 2022 DDoS attack against Connecticut's Bradley International Airport, retaliation for American military aid to Ukraine. Beyond the Czech Republic, Killnet asserted broader attacks against Polish airports to disrupt weapons transfers, alongside unconfirmed strikes on German, British, and Estonian infrastructure. No NATO governments besides the Czech Republic officially validated these claims, though Czech authorities confirmed sustained DDoS attempts against critical national systems without endorsing specific attribution to Killnet. The incident highlighted operational impacts including multi-day portal outages, transportation system disruptions, and temporary airport website failures, though all entities maintained physical operations through manual redundancies and technical countermeasures.