Cyber Incident Victim: Czech Republic
Date:
Apr 2022
Location:
Czechia
Summary
A pro-Russian threat group known as Killnet conducted distributed denial-of-service attacks against multiple Czech critical infrastructure entities, disrupting online operations of railways, airports, and government portals. The attacks caused significant service outages, including ticket sales disruptions and website unavailability, though no data theft occurred. The group explicitly targeted nations supporting Ukraine amid the Russia-Ukraine conflict, with Czech authorities attributing the attacks to Russian hackers. Killnet claimed responsibility for these incidents via Telegram channels and expanded its campaign to include unverified attacks on additional airports, defense departments, and telecommunications providers within the country. The group also asserted broader DDoS operations against NATO allies including Poland, Germany, the UK, and Estonia, though these claims lacked official confirmation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In mid-April 2022, multiple Czech critical infrastructure entities experienced distributed denial-of-service (DDoS) attacks that disrupted online services. The Czech National Cyber and Information Security Agency (NÚKIB) reported severe DDoS attacks beginning earlier that week against several high-profile targets. Czech Railways faced significant operational disruptions, with outages affecting their "My Train" mobile application starting Tuesday, April 19, followed by failures in online ticket sales and connection-finding tools. On Wednesday, April 20, both Karlovy Vary Airport and Pardubice Airport suffered DDoS attacks that disabled their web systems; Karlovy Vary's website remained accessible domestically but experienced foreign access issues, while Pardubice's entire web infrastructure failed. The Czech public administration portal also became non-operational for multiple days due to these attacks. NÚKIB's official website was targeted on Thursday, April 21, rendering it inaccessible from outside the country. No data theft or compromise of citizen information occurred during these incidents, and all affected organizations confirmed the attacks did not impact physical safety or core transportation operations.
Czech Interior Minister Vít Rakušan publicly attributed the attacks to Russian hackers during an April 20 press conference, though he did not name specific threat actors. Subsequent monitoring of Telegram channels by cybersecurity analysts revealed that the pro-Russian group Killnet claimed responsibility for all Czech attacks through posts in their recently created Telegram channel. Killnet expanded its claims to include unverified attacks on Brno-Turany Airport, Ostrava Airport, Prague International Airport, and Czech defense, banking, telecommunications, and hosting entities. The group, which emerged in January 2022, explicitly stated its objective to inflict maximum damage on the network infrastructure of countries opposing Russia in the Ukraine conflict. U.S. Cybersecurity and Infrastructure Security Agency (CISA) advisories confirmed Killnet's involvement in a March 2022 DDoS attack against Bradley International Airport in Connecticut, linking it to retaliation for Western support of Ukraine. Beyond the Czech Republic, Killnet asserted broader campaigns against NATO members Poland, Germany, the U.K., and Estonia—including claims of targeting eight Polish airports to disrupt weapons transfers to Ukraine—though no national authorities independently verified these additional incidents. Czech entities implemented technical mitigations recommended by NÚKIB while maintaining physical operations throughout the cyber disruptions.