Cyber Incident Victim: Bulgarian Defense Ministry
Date:
Oct 2022
Location:
Bulgaria
Summary
A pro-Russian hacking group Killnet launched a distributed denial-of-service (DDoS) attack against multiple government websites, including the Defense Ministry, briefly disrupting access and causing prolonged slowdowns. The group claimed responsibility via Telegram, framing the attack as retaliation for the country's alleged betrayal of Russia through military support to Ukraine, though officials clarified no domestic weaponry was supplied. Bulgarian authorities identified a suspect in Russia but deemed extradition unlikely, while cybersecurity experts linked Killnet to Russian intelligence operations. The incident, part of a broader campaign targeting nations aiding Ukraine, aimed to undermine institutional trust despite causing no data breaches or lasting technical damage.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On October 15, 2022, a distributed denial-of-service (DDoS) attack disrupted multiple Bulgarian government websites, including those of the presidential administration, the Defense Ministry, the Interior Ministry, the Justice Ministry, and the Constitutional Court. The attack, described as "large-scale" by Bulgaria’s Prosecutor-General Ivan Geshev, temporarily rendered these sites inaccessible before access was partially restored, though they continued operating at reduced speeds. The pro-Russian hacking group Killnet claimed responsibility for the attack via its Telegram channel, framing it as retaliation for Bulgaria’s alleged "betrayal to Russia" and its provision of weapons to Ukraine. Killnet declared the Bulgarian government "sentenced to network collapse and shame," aligning with its pattern of high-visibility DDoS campaigns targeting European nations supporting Ukraine. The attack inundated the sites with junk traffic, a hallmark of Killnet’s operations, but caused no permanent damage or data breaches. Bulgarian authorities confirmed the incident as a short-term disruption with no compromise of sensitive information.
Bulgarian Deputy Chief Prosecutor Borislav Sarafov announced that the country’s cybersecurity agency had identified one attacker—a resident of Magnitogorsk, Russia—and would seek extradition, though he acknowledged Russia’s likely non-cooperation. Prosecutor-General Geshev condemned the incident as "a serious problem" and "an attack on the Bulgarian state," reflecting official concern over the breach. Cybersecurity expert Yavor Kolev asserted Killnet likely operates under Russian intelligence direction, noting such groups "cannot act independently" in Russia’s political environment. Despite Killnet’s accusations of weapon shipments, Bulgaria had only provided humanitarian aid, asylum for refugees, and repairs for Ukrainian heavy equipment, explicitly refusing to supply its own arms. The attack aligned with Killnet’s broader campaign against over 50 nations, particularly those backing Ukraine, with Bulgaria’s increased political engagement cited as a potential catalyst. The incident underscored the persistent threat of DDoS attacks as tools for psychological impact and institutional destabilization.