Cyber Incident Victim: Killnet
Date:
Apr 2022
Location:
Romania
Summary
A pro-Russian hacktivist group known as Killnet conducted distributed denial-of-service (DDoS) attacks targeting multiple Romanian government and affiliated websites, including the official government portal, defense ministry, border police, national railway company, and a commercial bank. The attacks overwhelmed web applications at the OSI layer 7 with high-volume requests, causing temporary unavailability of services for several hours before mitigation efforts restored access. Romania's national cybersecurity agency collaborated with intelligence services to map and mitigate the incident, attributing the attacks to compromised foreign infrastructure. Killnet claimed responsibility, citing retaliation for Romanian political support of Ukraine, including weapons provisions—a recurring motive for their prior DDoS campaigns against other nations aiding Ukraine.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On April 28, 2022, beginning at 4:00 AM local time, pro-Russian hacktivist group Killnet launched distributed denial-of-service (DDoS) attacks against multiple Romanian government and commercial websites. The attacks targeted web applications at the OSI model's application layer (Layer 7), overwhelming servers with high-volume requests that exhausted processing resources. Affected entities included gov.ro (Romanian Government), mapn.ro (Ministry of Defense), politiadefrontiera.ro (Border Police), cfrcalatori.ro (National Railway Transport Company), and otpbank.ro (commercial bank OTP Bank Romania). Romania's National Cyber Security Directorate (DNSC) confirmed the attacks originated from compromised network equipment outside the country, exploiting security vulnerabilities in those systems. The sustained barrage caused significant service disruption, rendering all targeted websites unavailable to legitimate users during the attack period.
Romanian authorities detected the attacks immediately and initiated coordinated response measures through DNSC and the Romanian Intelligence Service (SRI). By approximately 11:00 AM local time—seven hours after the attacks commenced—all affected websites were restored to operational status. DNSC characterized the attack intensity as moderate but noted it exceeded request throttling limits on victim infrastructure, causing disproportionate disruption. The agency announced plans to publish attacker IP addresses and provided compromised entities with specific indicators of compromise for traffic filtering. Killnet publicly claimed responsibility via messaging platforms, citing retaliation against Romanian Chamber of Deputies President Marcel Ciolacu's pledge to supply military weapons to Ukraine. This incident followed Killnet's established pattern of DDoS campaigns against nations supporting Ukraine, including prior attacks targeting the U.S., Czech Republic, Estonia, Germany, and Poland. Concurrently, Ukrainian CERT reported similar DDoS attacks exploiting compromised WordPress sites to generate malicious traffic against Ukrainian targets, though no direct coordination between these campaigns was established in available reporting.