Cyber Incident Victim: Bulgarian Ministry of Justice
Date:
Oct 2022
Location:
Bulgaria
Summary
A pro-Russian hacking group known as Killnet executed a distributed denial-of-service (DDoS) attack targeting multiple Bulgarian government websites, including the Justice Ministry, temporarily disrupting access and causing lingering performance issues. The group claimed responsibility, framing the attack as retaliation for perceived betrayal to Russia and military support to Ukraine, though the country had not supplied its own weaponry. While no sensitive data was compromised, Bulgarian authorities identified a suspected hacker based in Russia and initiated extradition efforts despite low expectations of cooperation. Cybersecurity experts linked Killnet to Russian intelligence operations, noting its pattern of targeting nations supporting Ukraine to undermine institutional trust and generate media attention.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On October 15, 2022, a large-scale distributed denial-of-service (DDoS) attack disrupted multiple Bulgarian government websites, including those of the presidential administration, the Defense Ministry, the Interior Ministry, the Justice Ministry, and the Constitutional Court. The pro-Russian hacking group Killnet claimed responsibility for the attack via its Telegram channel, framing it as punishment for Bulgaria’s alleged “betrayal to Russia” and its supply of weapons to Ukraine. The attack temporarily rendered the targeted websites inaccessible, and though access was later restored, the sites experienced significantly slower performance afterward. Bulgarian Prosecutor-General Ivan Geshev characterized the incident as a serious problem and an attack on the Bulgarian state, though no sensitive data was compromised. Killnet’s statement declared the Bulgarian government “sentenced to network collapse and shame,” aligning with its pattern of targeting nations supporting Ukraine. The group, active since Russia’s invasion of Ukraine, had previously launched similar DDoS campaigns against government networks in Romania, Italy, Lithuania, Norway, Poland, Finland, and Latvia.
Bulgarian Deputy Chief Prosecutor Borislav Sarafov announced that the country’s cybersecurity agency had identified one of the attackers by name and address, locating the individual in Magnitogorsk, Russia. Bulgaria intended to seek extradition, though Sarafov acknowledged low expectations of Russian cooperation. Cybersecurity expert Yavor Kolev asserted that Killnet was likely controlled by Russian intelligence agencies, operating under state direction rather than independently. The attack occurred despite Bulgaria’s historically close ties to Russia and its refusal to directly supply weapons to Ukraine, though the country had provided humanitarian aid, asylum to Ukrainian refugees, and repairs for Ukrainian heavy weapons. Kolev suggested Bulgaria’s inclusion in Killnet’s list of over 50 targeted countries might reflect its heightened political visibility rather than its military support for Ukraine. The incident underscored the group’s broader strategy of leveraging disruptive but non-destructive cyberattacks to generate media attention and erode public trust in state institutions.