Cyber Incident Victim: Milan Bergamo Airport
Date:
May 2022
Location:
Italy
Summary
A pro-Russian cyber group known as Legion conducted distributed denial-of-service (DDoS) attacks targeting multiple Italian institutional and corporate entities, including government ministry websites, the State Police portal, the Senate, airport sites, and energy/transportation organizations. While some targets like the Foreign Affairs Ministry and High Council of the Judiciary experienced significant downtime, others such as Eni and TIM remained operational; impacts included temporary disruptions to sites like the Cultural Heritage Ministry and State Police, with partial recoveries occurring within hours. The attacks, linked to the loosely organized Killnet collective, were characterized by cybersecurity experts as propagandistic noise rather than sophisticated state-sponsored operations, aiming to undermine public confidence through high-visibility disruptions to critical services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
On May 19, 2022, at 23:54, the pro-Russian cyber group Legion launched a distributed denial-of-service (DDoS) attack campaign against Italian institutional and corporate websites. The initial targets included the Ministry of Cultural Heritage, Ministry of Foreign Affairs, and Superior Council of the Judiciary, with some sites like the former Environment Ministry’s minambiente.it incorrectly listed—this domain redirected to the Ministry of Ecological Transition, which had previously faced cyber threats in April. By 9:50 AM on May 20, the State Police website—previously attacked by Legion—was accessible again, while the Senate site experienced temporary downtime evidenced by researcher Claudio Sono’s Twitter screenshot. Additional targets included Eni, TIM, WindTre, Court of Auditors, Ministry of Interior, Customs Agency, Ministry of Defense, and Federtrasporto association, though most corporate sites remained operational. The Ministry of Cultural Heritage restored service by 10:30 AM, followed by the Energy Regulatory Authority (ARERA) at noon. That afternoon, Legion expanded attacks to Milan’s Linate and Malpensa airports, Bergamo, Rimini, Genoa, and Olbia airports, while erroneously listing a Korean Trenitalia ticket reseller instead of the Italian rail operator.
Legion coordinated operations via a Russian-language Telegram channel established on April 28, recruiting volunteers and explicitly identifying as a Russian group. Early missions focused on NATO domains, later aligning with cyber cell Killnet, though cybersecurity expert Corrado Giustozzi characterized both as “loose organizations” unaffiliated with the Kremlin. Attacks employed volumetric DDoS techniques to overwhelm sites, which Giustozzi assessed as “rather bland” non-critical disruptions, citing the Eurovision voting system’s resilience against similar attempts. The Italian Computer Security Incident Response Team (CSIRT) issued preventative measures against such attacks, while F5 analysts noted increasing scale and complexity in global DDoS campaigns. Despite temporary outages at the Foreign Ministry, Superior Council of the Judiciary, and Verona Academy of Sciences, most services resumed within hours, with no reported data breaches or persistent compromises beyond service interruptions.