Cyber Incident Victim: Ministero della Difesa
Date:
May 2022
Location:
Italy
Summary
A pro-Russian cyber group known as Legion conducted distributed denial-of-service (DDoS) attacks against multiple Italian institutional targets, including government ministry websites, the State Police portal, the Senate, and several airports. The attacks temporarily disrupted access to sites such as the Foreign Affairs Ministry, the High Council of the Judiciary, and cultural heritage platforms, though most services were restored within hours. Legion coordinated operations via Telegram channels, recruiting volunteers to target entities like Eni, TIM, and WindTre, while also erroneously attacking a Korean agency linked to Trenitalia ticket sales. Security experts assessed these as low-criticality "noise attacks" aimed at propaganda rather than severe infrastructure damage, with ties to the loosely organized Killnet collective. Mitigation measures were advised by national cybersecurity authorities following the incidents.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
On May 19, 2022, at 23:54, the pro-Russian cyber group Legion initiated a distributed denial-of-service (DDoS) campaign against Italian institutional websites, announcing targets via Telegram. The initial wave impacted the Ministry of Cultural Heritage, Ministry of Foreign Affairs, and High Council of the Judiciary, with some sites experiencing immediate downtime. By 9:50 AM on May 20, the State Police website—previously attacked days earlier—regained accessibility, while the Senate site remained intermittently unreachable, as evidenced by researcher Claudio Sono’s Twitter documentation. Legion expanded its target list to include entities like Eni, TIM, WindTre, Court of Auditors, Ministry of Interior, Customs Agency, Ministry of Defense, and Federtrasporto, though many remained operational. The Ministry of Cultural Heritage recovered by 10:30 AM, followed by the Energy, Networks, and Environment Regulatory Authority (ARERA) at noon. That afternoon, Legion shifted focus to airport websites—Linate, Malpensa, Bergamo, Rimini, Genova, and Olbia—while erroneously listing a Korean agency reselling Trenitalia tickets, possibly intending to attack Italy’s rail operator.
The attacks overloaded sites with traffic, causing temporary disruptions but no prolonged outages. Targets like the Foreign Ministry, High Council of the Judiciary, and Verona-based Academy of Sciences faced heavier downtime. Legion coordinated via a Russian-language Telegram channel established April 28, aligning with Killnet, another emerging cyber group linked to Russian interests. Earlier operations included targeting NATO domains and the Eurovision voting system, though cybersecurity expert Corrado Giustozzi characterized these as "rather mild" and non-critical, dismissing Killnet/Legion as a loose autonomous entity rather than a direct Kremlin proxy. Giustozzi framed the incidents as "noise attacks" for propaganda purposes. Italy’s Computer Security Incident Response Team (CSIRT) issued preventative measures against such DDoS campaigns, reflecting growing concern over their increasing scale and complexity noted in April 2022 by F5 analysts. No data breaches or permanent damage were reported across affected systems.