Cyber Incident Victim: Ministero degli Affari Esteri
Date:
May 2022
Location:
Italy
Summary
A pro-Russian cyber group known as Legion conducted distributed denial-of-service (DDoS) attacks against multiple Italian institutional websites, including the Ministry of Foreign Affairs and International Cooperation, the High Council of the Judiciary, and the Ministry of Cultural Heritage, causing temporary disruptions to several targets. The attacks also extended to airports, energy regulators, and commercial entities, though many sites remained operational. Legion coordinated via Telegram channels, recruiting volunteers to overwhelm sites with traffic, and was linked to another group called Killnet, though cybersecurity experts assessed the operations as propaganda-driven rather than state-sponsored or critically disruptive. The incident included unsuccessful attempts to target the Eurovision voting system and misidentified entities, with analysts characterizing the campaign as efforts to undermine public confidence through low-complexity but persistent attacks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
On May 19, 2022, at 23:54, the pro-Russian cyber group Legion launched a distributed denial-of-service (DDoS) campaign targeting multiple Italian institutional and corporate websites. The attack initially focused on the Ministry of Foreign Affairs and International Cooperation (Ministero degli Affari Esteri e della Cooperazione Internazionale), Ministry of Cultural Heritage, and High Council of the Judiciary (Consiglio Superiore della Magistratura), causing significant downtime for these critical government platforms. By the morning of May 20, additional targets became operational, including the State Police website (previously attacked days earlier) and the Senate site, which experienced temporary inaccessibility as evidenced by researcher Claudio Sono's Twitter documentation. Legion expanded its target list throughout the day to include energy regulator ARERA, transport association Federtrasporto, and corporate entities like Eni, TIM, and WindTre – though these commercial sites remained functional.
The attackers shifted focus to Italian airport websites in the afternoon of May 20, disrupting online services for Milan's Linate and Malpensa airports along with Bergamo, Rimini, Genoa, and Olbia facilities. Legion mistakenly targeted a Korean agency reselling Trenitalia tickets, suggesting operational errors in target selection. The group coordinated operations through Russian-language Telegram channels established on April 28, explicitly identifying as Russian actors and frequently aligning with the Killnet cyber collective. While the DDoS attacks caused temporary disruptions – with the Ministry of Cultural Heritage restoring service by 10:30 AM and ARERA by noon on May 20 – cybersecurity expert Corrado Giustozzi characterized the incidents as "rather mild attacks" of propagandistic nature rather than critical infrastructure breaches. The Italian Computer Security Incident Response Team (CSIRT) issued preventive measures against such attacks, though specific technical countermeasures weren't detailed in available reporting. Legion's campaign demonstrated evolving tactics through repeated NATO domain targeting and attempts to undermine public confidence in government digital services during heightened geopolitical tensions.