Cyber Incident Victim: Federal Public Service of the Interior
Date:
Oct 2022
Location:
Bulgaria
Summary
A pro-Russian hacking group conducted a distributed denial-of-service (DDoS) attack against multiple government websites, including key ministries, causing temporary disruptions and slowed functionality. The group Killnet claimed responsibility, alleging the incident was retaliation for the country’s provision of humanitarian aid and weapon repairs to Ukraine, which it framed as betrayal to Russia. While no sensitive data was compromised, officials denounced the attack as targeting national sovereignty. Cybersecurity experts linked Killnet to Russian intelligence, noting its broader pattern of disrupting nations supporting Ukraine. Authorities identified an alleged hacker in Russia and initiated extradition efforts, though cooperation was deemed unlikely. The attack aimed to generate media attention and undermine public trust in state institutions.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On October 15, 2022, a large-scale distributed denial-of-service (DDoS) attack disrupted multiple Bulgarian government websites, including those of the presidential administration, the Defense Ministry, the Interior Ministry, the Justice Ministry, and the Constitutional Court. The pro-Russian hacking group Killnet claimed responsibility for the attack via its Telegram channel, framing it as retaliation for Bulgaria’s perceived "betrayal to Russia" and its supply of weapons to Ukraine. The attack temporarily rendered the sites inaccessible, and though service was restored shortly afterward, the platforms experienced lingering performance issues, operating slower than usual. Bulgarian Prosecutor-General Ivan Geshev characterized the incident as "a serious problem" and "an attack on the Bulgarian state," though no sensitive data breaches or lasting infrastructural damage occurred. Killnet’s modus operandi involved overwhelming target websites with junk traffic to cause temporary outages, a tactic consistent with its broader campaign of symbolic disruptions aimed at generating media attention and eroding public trust in institutions.
Bulgarian authorities responded by initiating an investigation led by the country’s cybersecurity agency, which reportedly identified one attacker’s name and address in Magnitogorsk, Russia. Deputy Chief Prosecutor Borislav Sarafov announced Bulgaria’s intent to seek extradition but acknowledged low expectations of Russian cooperation. Cybersecurity expert Yavor Kolev asserted that Killnet likely operated under the direction of Russian intelligence agencies, noting that such groups "cannot act independently" in Russia’s political environment. The attack aligned with Killnet’s pattern of targeting European nations supporting Ukraine, though Bulgaria’s stance had been ambivalent—providing humanitarian aid and weapon repairs to Ukraine while refusing direct arms transfers. The incident underscored Bulgaria’s geopolitical tensions, with Kolev speculating that its heightened political engagement, rather than military support alone, may have triggered the attack. Despite its limited technical impact, the event amplified concerns about hybrid threats and the vulnerability of critical digital infrastructure to politically motivated disruptions.