Cyber Incident Victim: Agenzia delle Dogane e dei Monopoli
Date:
May 2022
Location:
Italy
Summary
A pro-Russian cyber group known as Legion conducted distributed denial-of-service (DDoS) attacks against multiple Italian institutional websites, including the Italian Customs Agency, alongside targets such as ministries, the Senate, airports, and energy regulators. The attacks temporarily disrupted access to several sites, including those of the Foreign Ministry and the Superior Council of Magistracy, while others like Eni and TIM remained operational. Legion, which recruits via Telegram and collaborates with groups like Killnet, framed the operations as part of broader pro-Russian activities, though cybersecurity experts characterized the incidents as relatively low-severity "propaganda" efforts rather than critical infrastructure threats. The campaign also briefly targeted transportation and cultural entities, with some objectives appearing misidentified, such as an incorrect reference to a Korean agency instead of Trenitalia.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
On May 19, 2022, at 23:54, the pro-Russian cyber group Legion launched a distributed denial-of-service (DDoS) attack campaign against Italian institutional and corporate websites, including Agenzia delle Dogane e dei Monopoli. The group announced targets via Telegram, listing multiple entities such as the Ministry of Cultural Heritage, Ministry of Foreign Affairs, Superior Council of Magistracy, Senate, Eni, TIM, WindTre, Corte dei Conti, Ministry of Interior, Ministry of Defense, and Federtrasporto. Attacks commenced immediately, with some targets like the Senate website becoming unreachable, as evidenced by researcher Claudio Sono’s Twitter screenshot. By 09:50 on May 20, the State Police website—previously attacked—regained accessibility, while the Ministry of Cultural Heritage site recovered by 10:30 and ARERA (Energy Regulatory Authority) by 12:00. Legion expanded targets that afternoon to include Milan’s Linate and Malpensa airports, Bergamo, Rimini, Genoa, and Olbia airports, alongside repeated attempts against the Ministry of Defense and an erroneous attack on a Korean agency selling Trenitalia tickets.
The DDoS attacks overloaded sites with traffic, causing intermittent outages. Most listed targets, including Agenzia delle Dogane, remained operational during the incident, though the Foreign Ministry, Superior Council of Magistracy, and Verona’s Academy of Sciences experienced heavier disruptions. Legion operated openly via Russian-language Telegram channels since April 28, recruiting volunteers and coordinating attacks against NATO domains and Eurovision’s voting system. Cybersecurity expert Corrado Giustozzi characterized the attacks as “propaganda” rather than critical threats, noting their technical simplicity and lack of Kremlin affiliation. Italy’s Computer Security Incident Response Team (CSIRT) issued preventive measures against such attacks, though specific mitigation actions for affected entities were not detailed. No data breaches or long-term service impairments were reported, with restoration efforts occurring organically across most sites within hours.