Cyber Incident Victim: Aeroporto di Rimini-Miramare
Date:
May 2022
Location:
Italy
Summary
A pro-Russian cyber group known as Legion conducted distributed denial-of-service (DDoS) attacks against multiple Italian institutional and commercial targets, including an Italian airport, temporarily disrupting online services. The attacks formed part of a broader campaign targeting entities such as government ministries, transportation hubs, and energy regulators, with some sites experiencing extended downtime while others remained operational. Security experts characterized the incidents as propaganda-driven disruptions rather than critical infrastructure breaches, noting connections to the loosely organized Killnet collective but dismissing direct ties to Russian state actors. The group utilized Telegram channels to coordinate volunteers for these attacks, which aimed to overwhelm websites with traffic but were generally assessed as limited in technical sophistication.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
On May 19, 2022, at 23:54, the pro-Russian cyber group Legion announced via Telegram a coordinated distributed denial-of-service (DDoS) campaign targeting Italian institutional and corporate websites. Initial targets included the Ministry of Cultural Heritage, Ministry of Foreign Affairs, and Superior Council of the Judiciary, alongside entities like Eni, TIM, and WindTre. By May 20, intermittent disruptions affected the State Police website (previously attacked days earlier) and the Senate site, which became unreachable for a period as evidenced by researcher Claudio Sono's Twitter documentation. The Ministry of Foreign Affairs, Superior Council of the Judiciary, and Verona-based Academy of Sciences experienced the most severe downtime. The Ministry of Cultural Heritage restored service by 10:30 AM, while the Energy Regulatory Authority (ARERA) resumed operations by noon.
The attacks escalated on the afternoon of May 20 when Legion expanded targeting to airport websites, including Milan's Linate and Malpensa, Bergamo, Rimini-Miramare, Genoa, and Olbia. The group also erroneously listed a Korean agency selling Trenitalia tickets, possibly intending to attack the Italian rail operator. Legion conducted these DDoS attacks by flooding targets with traffic to induce outages, a tactic they repeatedly employed alongside affiliated group Killnet. While most corporate targets like Eni remained operational, the campaign demonstrated broad scope across government, transportation, and energy sectors. The Italian Computer Security Incident Response Team (CSIRT) issued preventative guidance, though specific mitigation actions for airport targets weren't detailed. Cybersecurity expert Corrado Giustozzi characterized the attacks as "propaganda" rather than critical threats, noting their technical limitations despite disruptive potential. Legion's Telegram channel, active since April 28, explicitly identified as Russian and coordinated with Killnet, though Giustozzi assessed no direct Kremlin affiliation based on their operational patterns.