Cyber Incident Victim: Office of the Bulgarian President
Date:
Oct 2022
Location:
Bulgaria
Summary
A pro-Russian hacking group known as Killnet launched a distributed denial-of-service (DDoS) attack targeting the presidential administration and other government institutions, briefly disrupting websites and causing lingering performance issues. The attackers claimed the assault was retaliation for perceived betrayal to Russia and alleged weapons supplies to Ukraine, though officials clarified the country had not provided its own weaponry. While no sensitive data was compromised, Bulgarian authorities condemned the incident as an attack on the state and identified a suspect in Russia, though extradition was deemed unlikely. Cybersecurity experts linked Killnet’s activities to Russian intelligence objectives, noting the group typically targets nations supporting Ukraine and aims to undermine institutional trust through disruptive but non-destructive cyber operations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On October 15, 2022, a large-scale distributed denial-of-service (DDoS) attack disrupted multiple Bulgarian government websites, including those of the presidential administration, the Defense Ministry, the Interior Ministry, the Justice Ministry, and the Constitutional Court. The pro-Russian hacking group Killnet claimed responsibility for the attack via its Telegram channel, stating it was punishment for Bulgaria’s alleged "betrayal to Russia" and its supply of weapons to Ukraine. The attack temporarily rendered the targeted websites inaccessible before access was partially restored, though services remained slower than usual according to local reports. Killnet framed the incident as a sentencing of Bulgaria’s government to "network collapse and shame," consistent with its broader pattern of disruptive but non-destructive operations aimed at generating media attention and eroding trust in state institutions. The group had previously executed similar DDoS campaigns against government networks in Romania, Italy, Lithuania, Norway, Poland, Finland, and Latvia since Russia’s invasion of Ukraine earlier that year.
Bulgarian authorities confirmed the attack caused no data breaches or permanent damage but prompted strong official condemnation. Prosecutor-General Ivan Geshev characterized it as "a serious problem" and "an attack on the Bulgarian state." Deputy Chief Prosecutor Borislav Sarafov announced that Bulgaria’s cybersecurity agency had identified a suspect residing in Magnitogorsk, Russia, and would seek extradition, though he acknowledged low expectations of Russian cooperation. Cybersecurity expert Yavor Kolev assessed that Killnet likely operated under Russian intelligence direction, noting that such groups "cannot act independently" in Russia’s political environment. The attack occurred despite Bulgaria’s historically close ties to Russia and its refusal to directly supply weapons to Ukraine, though the country had provided humanitarian aid, heavy weapons repairs, and asylum to Ukrainian refugees. Kolev suggested Bulgaria’s inclusion in Killnet’s targeting of over 50 nations reflected its heightened political engagement rather than substantive military support for Ukraine.