Cyber Incident Victim: Autorità di regolazione per energia reti e ambiente
Date:
May 2022
Location:
Italy
Summary
A pro-Russian cyber group known as Legion conducted distributed denial-of-service (DDoS) attacks against multiple Italian institutional websites, including the energy, networks, and environment regulatory authority, along with ministries, the Senate, airports, and other entities. The attacks temporarily disrupted access to several targets, such as the Ministry of Foreign Affairs and the Superior Council of Magistracy, though many sites remained operational or were restored within hours. Legion coordinated its operations via Telegram, explicitly identifying as a Russian group and collaborating with affiliated entities like Killnet. Security experts characterized the incidents as relatively unsophisticated "noise" or propaganda efforts rather than critical infrastructure breaches, aimed at causing disruption and undermining public confidence. The campaign targeted a broad range of Italian organizations, with some objectives appearing misidentified or redundant.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
On May 19, 2022, at 23:54, the pro-Russian cyber group Legion announced a distributed denial-of-service (DDoS) attack campaign against Italian institutional and corporate websites via Telegram. The initial wave targeted the Ministry of Cultural Heritage, Ministry of Foreign Affairs, and Superior Council of the Judiciary, among others. By the morning of May 20, several sites experienced disruptions: the Senate website became temporarily unreachable, as evidenced by researcher Claudio Sono’s Twitter screenshot, while the State Police site—previously attacked by Legion—remained accessible. The Ministry of Foreign Affairs, Superior Council of the Judiciary, and Verona-based Academy of Sciences suffered the most severe downtime. The Autorità di regolazione per energia reti e ambiente (ARERA) website went offline but resumed operations by 12:00 on May 20, following the Ministry of Cultural Heritage’s recovery at 10:30. Legion’s target list included ambiguous or outdated references, such as minambiente.it (a defunct Environment Ministry domain redirecting to the Ecological Transition Ministry’s site, which had been threatened in April). Other listed entities—Eni, TIM, WindTre, Court of Auditors, Ministry of Interior, Customs Agency, Ministry of Defense, and Federtrasporto association—remained operational during the attack.
The attackers employed DDoS techniques to overwhelm sites with traffic, causing temporary outages. Legion expanded its campaign on May 20 afternoon, targeting Milan’s Linate and Malpensa airports, along with Bergamo, Rimini, Genoa, and Olbia airports. The group erroneously listed a Korean agency reselling Trenitalia tickets, possibly intending to attack the Italian rail operator. Telegram logs revealed Legion’s explicit Russian affiliation and coordination with Killnet, another emerging cyber group linked to Russian interests. Cybersecurity expert Corrado Giustozzi characterized the attacks as “rather mild” propaganda efforts lacking critical impact, contrasting with F5 analysts’ observations of increasing DDoS scale and complexity. Italy’s Computer Security Incident Response Team (CSIRT) issued preventive measures against such attacks, while Silas Cutler of Stairwell noted DDoS operations in conflict zones could undermine public trust in essential services. Legion had previously targeted NATO domains and the Eurovision voting system, though Giustozzi dismissed these as non-severe incidents. The group’s Telegram recruitment channel, active since April 28, directed volunteers to attack Atlantic Alliance subdomains, reinforcing its pro-Russian alignment.