Cyber Incident Victim: Italian Government
Date:
May 2022
Location:
Italy
Summary
Pro-Russian hacktivist group Killnet conducted distributed denial-of-service (DDoS) attacks targeting Italian government websites using a "Slow HTTP" technique designed to overwhelm servers by sending slow or incomplete requests, rendering sites inaccessible. The group claimed responsibility, characterizing the incidents as military cyber exercises in preparation for future offensives against critical infrastructure. Italy's Computer Security Incident Response Team confirmed the attacks' impact on crucial services and warned that conventional defenses might be ineffective against this unusual method, while providing mitigation guidance to administrators. Killnet publicly threatened further sudden attacks following media coverage of the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early May 2022, Italy's Computer Security Incident Response Team (CSIRT) disclosed distributed denial-of-service (DDoS) attacks targeting critical Italian government websites over the preceding days. The pro-Russian hacktivist group Killnet claimed responsibility for these attacks, which employed a "Slow HTTP" technique designed to overwhelm web servers by sending incomplete or abnormally slow HTTP requests. This method forced servers to allocate resources to waiting for the remaining data from each malicious connection, eventually exhausting capacity and rendering sites inaccessible. Killnet publicly asserted its involvement through Telegram messages, framing the attacks as "military cyber exercises" to prepare for future offensives. The group explicitly referenced Italy's support for Ukraine as motivation, stating, "Italians and the Spaniards are going to learn how to kill people in Ukraine. Our Legion is learning to kill your servers." Killnet further warned that their "cyber army" would soon transition from training to sudden, large-scale attacks, emphasizing unpredictability. The group had previously conducted similar DDoS campaigns against Romanian government portals and Bradley Airport in the United States.
The attacks disrupted access to unspecified Italian government websites, though the exact duration and full scope of the outages were not detailed in CSIRT's disclosure. CSIRT characterized "Slow HTTP" as an atypical DDoS method, cautioning that conventional defensive measures might prove ineffective against it. The agency issued an advisory outlining mitigation strategies tailored to this attack vector. No data breaches or permanent system compromises were reported, with the primary impact being temporary service unavailability. Killnet's public Telegram statements amplified psychological and geopolitical tensions, explicitly linking the cyber operations to Italy's political stance on the Ukraine conflict. The incident underscored the group's persistent focus on NATO-aligned nations supporting Ukraine, following their established pattern of combining technical disruption with propaganda messaging. CSIRT's public disclosure aimed to raise awareness among system administrators about the specific vulnerabilities exploited in these attacks.