Cyber Incident Victim: Bulgarian Constitutional Court
Date:
Oct 2022
Location:
Bulgaria
Summary
A pro-Russian hacking group known as Killnet launched a distributed denial-of-service (DDoS) attack against multiple government websites, including the Constitutional Court, briefly disrupting access and causing lingering slowdowns after restoration. The group claimed the attack was retaliation for the country’s alleged betrayal of Russia and military support to Ukraine, though officials clarified that Bulgaria had only provided humanitarian aid and weapon repairs, not direct arms transfers. While no sensitive data was compromised, the incident drew strong condemnation from government authorities as an attack on national institutions. Cybersecurity experts linked Killnet to Russian intelligence operations, noting its pattern of targeting nations supporting Ukraine. Bulgarian investigators identified a suspect in Russia but deemed extradition unlikely.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On October 15, 2022, a large-scale distributed denial-of-service (DDoS) attack disrupted multiple Bulgarian government websites, including those of the presidential administration, the Defense Ministry, the Interior Ministry, the Justice Ministry, and the Constitutional Court. The pro-Russian hacking group Killnet claimed responsibility for the attack via its Telegram channel, framing it as punishment for Bulgaria’s perceived "betrayal to Russia" and alleged weapons supplies to Ukraine. The attack temporarily rendered the targeted websites inaccessible by overwhelming them with junk traffic. While access was restored relatively quickly, the sites experienced lingering performance issues, operating slower than usual afterward. Bulgarian Prosecutor-General Ivan Geshev publicly attributed the incident to pro-Russian actors, characterizing it as "a serious problem" and "an attack on the Bulgarian state." The attack aligned with Killnet’s established pattern of targeting European nations supporting Ukraine, though Bulgaria had not provided direct military aid, instead offering humanitarian assistance, refugee asylum, and heavy weapons repair services.
The cyberattack caused no confirmed data breaches or permanent infrastructure damage but prompted significant operational and diplomatic responses. Deputy Chief Prosecutor Borislav Sarafov announced that Bulgarian cybersecurity authorities had identified a suspect residing in Magnitogorsk, Russia, and intended to pursue extradition, though he acknowledged low expectations of Russian cooperation. Cybersecurity expert Yavor Kolev assessed that Killnet likely operated under Russian intelligence direction, noting its broader campaign against over 50 countries opposing Russia’s invasion of Ukraine. The incident underscored Bulgaria’s geopolitical positioning, balancing historical ties to Russia with limited support for Ukraine amid regional tensions. Government statements emphasized the symbolic nature of the attack, intended to undermine institutional credibility rather than inflict technical destruction, consistent with Killnet’s prior disruptions in Romania, Italy, Lithuania, and other NATO-aligned states. Restoration efforts focused on mitigating service interruptions, with no publicized long-term security overhauls or additional countermeasures detailed in the immediate aftermath.