Cyber Incident Victim: Romania
Date:
Apr 2022
Location:
Romania
Summary
Pro-Russian hacktivist group Killnet conducted distributed denial-of-service (DDoS) attacks targeting multiple Romanian government and financial websites, including those of the Ministry of Defense, Border Police, and a national railway company. The attacks exploited compromised network equipment through security vulnerabilities, overwhelming web applications at OSI layer 7 and causing temporary service disruptions starting in the early morning. Services were restored later that morning through mitigation efforts by Romania's national cybersecurity team (DNSC) and intelligence service (SRI). Killnet claimed responsibility, citing retaliation for the country's pledge to supply military aid to Ukraine, aligning with their pattern of similar attacks against nations supporting Ukraine. The group previously targeted entities in the U.S., Poland, and other European countries under analogous political motives.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On April 28, 2022, pro-Russian hacktivist group Killnet launched distributed denial-of-service (DDoS) attacks against multiple Romanian government and affiliated websites. The attacks began at 4:00 AM local time, targeting web applications at the OSI model's application layer (Layer 7) by overwhelming servers with high volumes of requests and data. Romania's National Cyber Security Directorate (DNSC) confirmed the incident affected critical infrastructure including gov.ro (Government of Romania), mapn.ro (Ministry of Defense), politiadefrontiera.ro (Border Police), cfrcalatori.ro (National Railway Transport Company), and otpbank.ro (commercial banking services). The attacks exploited compromised network equipment located outside Romania, leveraging security vulnerabilities to generate malicious traffic. Romania's Intelligence Service (SRI) reported the attacks caused service disruptions by hitting server throttling limits, rendering websites temporarily inaccessible to legitimate users. By approximately 11:00 AM local time, all affected sites were restored to normal operation following mitigation efforts. DNSC characterized the attack intensity as moderate but sufficiently disruptive to exceed resource thresholds. Technical analysis revealed the attackers focused on exhausting processing capabilities rather than breaching data security.
Killnet publicly claimed responsibility through messaging platforms, explicitly linking the attacks to Romanian political support for Ukraine. The group cited statements by Marcel Ciolacu, President of Romania's Chamber of Deputies, regarding military aid provisions to Ukraine as the operational catalyst. This followed Killnet's established pattern of targeting nations supplying Ukrainian defenses, with prior attacks against government sites in the United States, Czech Republic, Estonia, Germany, and Poland. DNSC collaborated with domestic authorities to map attack vectors and announced plans to publish participating IP addresses for network filtering. Administrators received directives to implement DNSC's 2021 cybersecurity guidelines and apply provided indicators of compromise to block malicious traffic. Concurrently, Ukraine's CERT reported escalating DDoS campaigns leveraging compromised WordPress sites, though no direct connection to the Romanian incident was established. The attacks highlighted coordinated hacktivist responses to geopolitical developments without evidence of data exfiltration or persistent network infiltration.