Cyber Incident Victim: Italian airports of Malpensa, Linate and Orio al Serio
Date:
May 2022
Location:
Italy
Summary
A pro-Russian hacker group Killnet conducted distributed denial-of-service (DDoS) attacks against multiple Italian airports, including Malpensa, Linate, and Orio al Serio, causing temporary website inaccessibility while leaving flight operations and passenger services unaffected. The attacks formed part of a broader campaign targeting Italian institutional websites such as the State Police, Customs Agency, and ministries of Foreign Affairs, Education, and Cultural Heritage. Killnet claimed responsibility via Telegram, accusing Italian authorities of spreading disinformation about the group. Cybersecurity specialists from the Postal Police assisted in restoring services, and Rome prosecutors initiated a terrorism-related investigation into the coordinated attacks. This incident followed similar cyber assaults by the same group against healthcare facilities and regional health agencies in preceding weeks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On the afternoon of May 20, 2022, the websites of Milan's Linate and Malpensa airports, Bergamo's Orio al Serio airport, and the airports of Genoa and Rimini became inaccessible due to a distributed denial-of-service (DDoS) attack. The pro-Russian hacker collective Killnet claimed responsibility for the attack, which overwhelmed the sites with artificial traffic to exhaust bandwidth and cause service interruptions. Users attempting to access Milan Linate's website received connection errors, while Malpensa and Orio al Serio's portals displayed outage messages. The attack occurred after Killnet had targeted several Italian institutional websites earlier that day, including the State Police, Superior Council of the Judiciary, Customs Agency, and the Ministries of Foreign Affairs, Education, and Cultural Heritage. No operational disruptions affected passenger services, flights, or airport infrastructure, as the impact was confined to the public-facing websites. Technical teams from airport operators Sea (managing Linate and Malpensa) and Sacbo (managing Orio al Serio) immediately worked to restore access.
Killnet publicly justified the attack through a Telegram message accusing the Italian government and media of spreading disinformation about the group, demanding an apology. Italy's Postal Police, a specialized cyber unit, assisted airport operators in analyzing the flood of IP addresses and restoring services while launching countermeasures against the ongoing attacks. The Rome Prosecutor’s Office opened a terrorism-related investigation for unauthorized computer access, delegating forensic analysis to the Postal Police. Milan authorities considered opening a parallel investigation following the airport targeting. This incident followed a pattern of Killnet attacks two weeks prior against healthcare infrastructure, including the Fatebenefratelli, Sacco, Buzzi, and Melloni hospitals, alongside 33 local health offices and the Insubria Health Agency’s IT platforms, which required days to restore patient services. The airport cyberattacks demonstrated Killnet’s continued focus on Italian critical infrastructure amid geopolitical tensions linked to the Russia-Ukraine conflict.