Cyber Incident Victim: Senato della Repubblica
Date:
May 2022
Location:
Italy
Summary
A pro-Russian cyber group known as Legion conducted distributed denial-of-service (DDoS) attacks against multiple Italian institutional targets, including the Senate, Ministry of Cultural Heritage, Foreign Affairs, and the High Council of the Judiciary, causing temporary disruptions to several websites. The attackers also mistakenly targeted a Korean agency selling Trenitalia tickets while aiming for Italian railway systems and later expanded their campaign to include airports in Milan, Bergamo, Rimini, Genoa, and Olbia. Collaborating with another cyber cell, Killnet, Legion focused on propaganda-driven operations rather than critical infrastructure damage, with cybersecurity experts assessing the attacks as disruptive but not severe, aimed at undermining public confidence in government services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
On May 19, 2022, at 23:54, the pro-Russian cyber group Legion launched a distributed denial-of-service (DDoS) attack campaign against Italian institutional websites, including the Senato della Repubblica (Senate of the Republic). The attack rendered the Senate's website temporarily inaccessible, as evidenced by a screenshot shared on Twitter by researcher Claudio Sono. Other initial targets included the Ministry of Cultural Heritage, Ministry of Foreign Affairs, and Superior Council of the Judiciary. By the morning of May 20, the State Police website—previously targeted in earlier attacks—remained accessible, while the Senate experienced intermittent downtime. The Ministry of Cultural Heritage restored service by 10:30 AM, and the Energy Regulatory Authority (ARERA) recovered by noon. Legion expanded its targets that afternoon to include Milan's Linate and Malpensa airports, along with airports in Bergamo, Rimini, Genoa, and Olbia, while erroneously listing a Korean agency selling Trenitalia tickets instead of the Italian rail operator.
Legion coordinated operations through a Russian-language Telegram channel established on April 28, recruiting volunteers and explicitly identifying as a Russian group. The attacks overloaded websites with traffic, causing temporary disruptions without persistent compromises. Critical infrastructure like Eni, TIM, and WindTre remained operational, though the Foreign Affairs Ministry, Superior Council of the Judiciary, and Verona Academy of Sciences experienced more severe outages. Cybersecurity expert Corrado Giustozzi characterized the attacks as "rather mild" and non-critical, attributing them to propaganda efforts rather than state-sponsored operations. Italy's Computer Security Incident Response Team (CSIRT) issued preventive measures against such attacks, while analysts noted Legion's loose affiliation with the cyber cell Killnet but dismissed direct ties to the Kremlin. The group had previously targeted NATO domains and the Eurovision voting system, employing similar DDoS tactics described by F5 researchers as increasingly large and complex.