Cyber Incident Victim: Aeroporto di Genova-Sestri
Date:
May 2022
Location:
Italy
Summary
A pro-Russian cyber group known as Legion conducted distributed denial-of-service (DDoS) attacks targeting multiple Italian institutional websites and airports, including Genova-Sestri, alongside Milan's Linate and Malpensa, Bergamo, Rimini, and Olbia. The attacks temporarily disrupted access to several government sites, such as the Ministry of Foreign Affairs, the Superior Council of the Judiciary, and the Ministry of Cultural Heritage, though many targets like Eni, TIM, and the Defense Ministry remained operational. Legion coordinated via Telegram, recruiting volunteers and aligning with another group, Killnet, to launch these disruptive operations—described by cybersecurity experts as propaganda-driven rather than state-sponsored. The campaign also mistakenly targeted a Korean agency selling Trenitalia tickets and attempted to interfere with Eurovision voting systems, though impacts were assessed as non-critical. Italian authorities issued mitigation guidance to counter such attacks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
On May 19, 2022, at 23:54, the pro-Russian cyber group Legion initiated a coordinated distributed denial-of-service (DDoS) campaign against Italian institutional and corporate websites. The initial wave targeted the Ministry of Cultural Heritage, Foreign Affairs Ministry, High Council of the Judiciary, and the Academy of Sciences, with additional objectives including Eni, TIM, WindTre, Court of Auditors, Interior Ministry, Senate, Customs Agency, Defense Ministry, and Federtrasporto. Attackers published their target list via Telegram, though many sites like the State Police portal remained accessible by 09:50 on May 20 despite prior disruptions. The Senate website experienced temporary inaccessibility, evidenced by researcher Claudio Sono’s Twitter screenshot. By 10:30, the Ministry of Cultural Heritage restored service, followed by the Energy Regulatory Authority (ARERA) at noon. The group exploited outdated domains like minambiente.it, redirecting to the current Ministry of Ecological Transition’s site—previously threatened in April.
The attacks expanded on May 20 afternoon to include Milan’s Linate and Malpensa airports, alongside Bergamo, Rimini, Genova-Sestri, and Olbia airports. Legion erroneously listed a Korean agency reselling Trenitalia tickets, possibly intending to strike Italy’s rail operator. DDoS tactics overwhelmed sites with traffic, though impacts varied: Foreign Ministry, High Council of the Judiciary, and Academy of Sciences sustained heavier downtime compared to resilient targets like the Defense Ministry. Italy’s Computer Security Incident Response Team (CSIRT) disseminated mitigation guidelines, while cybersecurity expert Corrado Giustozzi characterized the assaults as “propaganda” rather than critical infrastructure threats, noting Killnet’s loose affiliation with Legion and dismissing Kremlin sponsorship theories. The operations mirrored prior disruptions to NATO and Eurovision voting systems, which Giustozzi deemed “relatively mild.” Legion’s Telegram recruitment channel, active since April 28, conducted Russian-language operations openly aligning with Russian interests, though tactical execution suggested autonomous hacktivist activity rather than state-directed cyber warfare.