Cyber Incident Victim: Consiglio Superiore della Magistratura
Date:
May 2022
Location:
Italy
Summary
A pro-Russian cyber group known as Legion conducted distributed denial-of-service (DDoS) attacks against multiple Italian institutional websites, including the High Council of the Judiciary, along with ministries, airports, and corporate entities. The attacks temporarily disrupted access to several government sites, such as those for foreign affairs and cultural heritage, though many targets remained operational. Legion coordinated through Telegram channels, explicitly identifying as Russian-aligned and collaborating with another group called Killnet, though cybersecurity experts assessed the operations as propaganda-driven "noise attacks" rather than critical threats. The incidents formed part of a broader pattern targeting Italian infrastructure, characterized by high-volume but relatively unsophisticated DDoS campaigns aimed at causing disruption and undermining public confidence.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
On May 19, 2022, at 23:54, the pro-Russian cyber group Legion launched a distributed denial-of-service (DDoS) attack campaign against Italian institutional websites, including the High Council of the Judiciary (Consiglio Superiore della Magistratura), Ministry of Cultural Heritage, Ministry of Foreign Affairs, and Academy of Sciences. The group announced targets via Telegram, listing additional objectives such as the Senate, Ministry of Defense, Customs Agency, and companies including Eni, TIM, and WindTre. By May 20, multiple sites experienced intermittent downtime, with the Senate becoming temporarily unreachable—a status documented through researcher Claudio Sono’s Twitter screenshot. The State Police website, previously targeted in earlier attacks, remained accessible by 9:50 AM. The Ministry of Cultural Heritage’s site recovered by 10:30 AM, while the Energy Regulatory Authority (Arera) resumed operations by noon.
Legion expanded its targets that afternoon to include Milan’s Linate and Malpensa airports, alongside airports in Bergamo, Rimini, Genoa, and Olbia. The group erroneously listed a Korean agency selling Trenitalia tickets, possibly intending to attack the Italian rail operator. Attacks employed DDoS tactics to overwhelm sites with traffic, causing temporary disruptions. The Italian CSIRT documented mitigation measures against such attacks, though specific response actions by affected entities were not detailed. Cybersecurity expert Corrado Giustozzi characterized the assaults as “rather bland” and non-critical, assessing affiliated group Killnet as a loosely organized entity rather than a direct Kremlin proxy. The incident reflected broader patterns of DDoS campaigns increasing in scale and complexity, as noted by F5 analysts, with Legion’s Telegram recruitment channel operational since April 28 and openly aligning with Russian interests through NATO-targeted operations.