Cyber Incident Victim: Comune di Brescia
Date:
Mar 2023
Location:
Italy
Summary
The Municipality of Brescia suffered a cyberattack attributed to the DoppelPaymer threat actors using Cryptolocker malware, disrupting its network and critical citizen services despite existing antivirus and security systems. The attack severely impaired online operations and technological infrastructure, prompting technical efforts to restore functionality with an aim to resume services following the Easter holiday period, alongside plans to file a formal complaint with authorities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On March 30, 2021, the Municipality of Brescia experienced a disruptive cyberattack that compromised its network infrastructure and disrupted public services. Unknown threat actors deployed malware—later identified as Cryptolocker and attributed to the DoppelPaymer ransomware group—which bypassed existing antivirus and security systems. The attack caused significant technical damage, forcing the municipality to suspend normal operations, including online citizen services. Officials issued a public statement confirming the incident and emphasized that the breach occurred despite proactive security measures. Internal technicians immediately initiated recovery efforts to restore network functionality and critical systems, with the goal of resuming full operations following the Easter holiday period. The municipality also announced plans to file a formal complaint with law enforcement authorities. Service disruptions persisted throughout the incident response phase, directly impacting residents' ability to access municipal resources.
A nearly identical cyberattack targeted the Municipality of Rho on April 1, 2021, exhibiting similar operational impacts and response patterns. Rho's public notice mirrored Brescia's language, citing unknown attackers, compromised networks, and disabled services—including the Quic – Sportello del Cittadino citizen assistance platform. Like Brescia, Rho maintained active antivirus protections that failed to prevent the breach and deployed technical teams to restore systems before Easter. Both municipalities issued standardized communications without disclosing specific forensic details or confirming whether they shared IT infrastructure or service providers. The parallel timing, identical attack methodologies, and coordinated public messaging suggested a potential campaign targeting Lombardy region municipalities, though no explicit connection between the two incidents was formally established in available reports. Restoration timelines remained contingent on technical remediation progress as both administrations worked to minimize prolonged civic disruption.