Cyber Incident Victim: Polizia di Stato
Date:
May 2022
Location:
Italy
Summary
A pro-Russian cyber group known as Legion conducted distributed denial-of-service (DDoS) attacks against multiple Italian institutional websites, including the Polizia di Stato, which had previously been targeted and experienced temporary inaccessibility. The attacks also affected the Ministry of Culture, Foreign Affairs, the Senate, Superior Council of the Judiciary, and several airports, though many sites remained operational or were restored within hours. Legion coordinated the campaign via Telegram, explicitly identifying as a Russian group and aligning with the Killnet collective, though cybersecurity experts assessed the attacks as relatively unsophisticated and more propagandistic than critical. The incidents aimed to disrupt public services and undermine confidence, reflecting a pattern of disruptive but non-crippling cyber operations linked to Russian-aligned actors during this period.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
On May 19, 2022, at 23:54, the pro-Russian cyber group Legion launched coordinated distributed denial-of-service (DDoS) attacks against multiple Italian institutional websites. Primary targets included the Ministry of Cultural Heritage, Ministry of Foreign Affairs, Superior Council of Magistracy (CSM), State Police (Polizia di Stato), Senate, and the Verona-based Academy of Sciences. The State Police website, previously targeted by Legion in earlier attacks, became inaccessible during the initial assault but regained functionality by 09:50 on May 20. Other critical infrastructure impacted included the Customs Agency, Ministry of Defense, and energy regulator ARERA, with the latter restoring service by 12:00. Attackers also erroneously listed outdated domains like minambiente.it (redirecting to the Ecological Transition Ministry's current site) and mistakenly targeted a Korean agency selling Trenitalia tickets instead of the Italian rail operator.
The operational scope expanded on May 20 afternoon when Legion shifted focus to airport websites—Milan's Linate and Malpensa, Bergamo, Rimini, Genoa, and Olbia—while continuing attacks on the Defense Ministry. Legion coordinated through Russian-language Telegram channels established April 28, openly identifying as a Russian group and collaborating with the Killnet collective. Their campaign mirrored prior activities against NATO domains and the Eurovision voting system, though cybersecurity expert Corrado Giustozzi characterized these as "rather mild" propaganda efforts lacking critical impact. The Italian CSIRT documented mitigation measures against such attacks, noting recurring accessibility issues at the Senate and Foreign Ministry sites while confirming full restoration of Cultural Heritage Ministry access by 10:30 on May 20. Technical reconnaissance indicated fluctuating downtime across targets, with Eni, TIM, and WindTre corporate sites remaining operational despite being listed in Legion's target roster.