Cyber Incident Victim: Federtrasporto
Date:
May 2022
Location:
Italy
Summary
A pro-Russian cyber group known as Legion conducted distributed denial-of-service (DDoS) attacks targeting multiple Italian institutional and corporate websites, including a transport sector association. The attacks temporarily disrupted access to several government sites such as the Foreign Ministry, the Superior Council of the Judiciary, and the State Police portal, though many targets remained operational. The group expanded its focus to include major airports and energy infrastructure later in the incident. Security experts assessed these attacks as primarily disruptive rather than critically damaging, characterizing them as propaganda efforts linked to broader geopolitical tensions. Legion coordinated operations through Telegram channels and demonstrated connections to another cyber collective called Killnet, though analysts indicated the groups likely operated independently from direct state control.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
On May 19, 2022, at 23:54, the pro-Russian cyber group Legion initiated a distributed denial-of-service (DDoS) campaign against Italian institutional and corporate websites. The attack targeted multiple entities simultaneously, including the Ministry of Cultural Heritage, Ministry of Foreign Affairs, Superior Council of the Judiciary, State Police website, Senate, Corte dei Conti, Ministry of Interior, Customs Agency, Ministry of Defense, and industry association Federtrasporto. Corporate targets included Eni, TIM, and WindTre, though these remained operational. By May 20, the Ministry of Foreign Affairs, Superior Council of the Judiciary, and Verona-based Academy of Sciences experienced significant downtime, while the Ministry of Cultural Heritage restored service by 10:30 AM and ARERA (Energy Regulatory Authority) by noon. That afternoon, Legion expanded attacks to Milan's Linate and Malpensa airports, Bergamo, Rimini, Genoa, and Olbia airports, while mistakenly targeting a Korean agency selling Trenitalia tickets instead of the Italian rail operator.
The attacks overloaded websites with traffic, causing intermittent outages. Legion coordinated operations through a Russian-language Telegram channel established April 28, recruiting volunteers and explicitly identifying as a Russian group. The group previously targeted NATO domains and Eurovision's voting system, though cybersecurity expert Corrado Giustozzi characterized these as "rather mild" propaganda efforts lacking state-actor sophistication. Legion maintained loose affiliations with the emergent Killnet collective, another Russia-aligned cyber group. Italy's Computer Security Incident Response Team (CSIRT) issued preventative guidance against such attacks, noting their increasing scale and complexity per F5 cloud services analysis. While most targeted sites resumed functionality within hours, the campaign demonstrated persistent targeting of Italian infrastructure amid geopolitical tensions following Russia's invasion of Ukraine, with attacks aimed at undermining public trust in critical services.