Cyber Incident Victim: Comune di Gorizia
Date:
Aug 2022
Location:
Italy
Summary
The Municipality of Gorizia experienced a ransomware attack attributed to the Lockbit 3.0 group, disrupting its IT systems and causing a temporary blackout. Critical services like electronic ID issuance and address changes were partially restored due to external server connections, while certification services remained blocked. Attackers demanded payment to prevent public data leakage, threatening to publish stolen information online. Local authorities engaged the Postale Police for investigation and warned citizens about heightened cyber risks, advising vigilance against suspicious emails. Technical teams worked to restore remaining services amid operational disruptions affecting both residents and municipal staff.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On the night between August 28 and 29, 2022, the Municipality of Gorizia experienced a severe disruption to its IT systems, later confirmed as a ransomware attack. Technicians investigating the blackout discovered a message from the Lockbit 3.0 ransomware group on the compromised servers, demanding payment to prevent the publication of stolen municipal data. The attackers issued a nine-day ultimatum for compliance, threatening to release sensitive information publicly if their demands went unmet. This incident caused immediate operational paralysis across multiple municipal services, though critical systems linked to external infrastructure, such as those supporting electronic ID card issuance and address change processing, sustained only limited disruption. The attack encrypted portions of the internal network, rendering certification services and other locally hosted applications inaccessible.
Municipal authorities promptly engaged the Postal Police (Polizia Postale) to investigate the breach while technicians prioritized service restoration. Within 24 hours of detection, officials partially restored electronic ID services and address change functionalities by leveraging unaffected external servers. Certification services remained inoperable due to their reliance on compromised internal systems. The mayor publicly confirmed the attack on August 29, characterizing it as a grave incident while assuring citizens that recovery efforts were underway. No confirmation emerged regarding whether ransom negotiations occurred or whether data was ultimately published. The municipality advised heightened vigilance against phishing attempts and suspicious emails, reflecting broader concerns about escalating cyber threats in the region. Service restoration timelines for remaining affected systems were not publicly disclosed beyond the initial partial recovery.