Cyber Incident Victim: OTP Bank România
Date:
Apr 2022
Location:
Romania
Summary
A pro-Russian hacker group known as Killnet launched distributed denial-of-service (DDoS) attacks targeting multiple Romanian websites, including OTP Bank's public-facing site, causing temporary inaccessibility. The financial institution confirmed its website briefly went offline but emphasized no confidential data or customer information was compromised, as the site only hosted public content; core banking infrastructure remained unaffected and operational throughout the incident. Similar attacks disrupted government and transportation sites, with Romania's intelligence service attributing the campaign to externally compromised network devices exploiting security vulnerabilities. Killnet, which claimed responsibility, has previously targeted NATO and Eastern European entities with DDoS attacks. Authorities collaborated to restore services, noting affected sites lacked sensitive or classified databases.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On April 29, 2022, a coordinated series of distributed denial-of-service (DDoS) attacks disrupted access to multiple Romanian websites, including OTP Bank România's public-facing site (otpbank.ro), alongside government domains (gov.ro, mapn.ro, politiadefrontiera.ro) and CFR Călători's site (cfrcalatori.ro). The attacks commenced around 04:05 local time, with the Ministry of National Defense (MApN) confirming its site was among the first impacted. Initial government statements indicated the attacks temporarily blocked user access but did not compromise backend systems or sensitive data. By mid-morning, access to gov.ro was restored, while MApN’s site remained intermittently unavailable as specialists from its Cyber Defense Command (CApC) worked to mitigate the attack. The pro-Russian hacker group Killnet publicly claimed responsibility for the attacks, aligning with its pattern of targeting entities in NATO-aligned nations, including prior DDoS incidents against the U.S., Estonia, Poland, and Czech Republic earlier that month.
The Romanian Intelligence Service (SRI), through its National CYBERINT Center, determined attackers exploited vulnerabilities in network equipment located outside Romania, seizing control to launch the DDoS campaigns. SRI emphasized the affected sites, including OTP Bank’s, were not part of Romania’s national critical IT infrastructure (ŢIŢEICA) under its oversight, though it cooperated with relevant entities to investigate and remediate impacts. OTP Bank clarified its website hosted only public information, experienced a "very short" outage, and confirmed no client data, confidential information, or core banking infrastructure was breached or affected. The bank reiterated its operational continuity and proactive security monitoring. MApN similarly confirmed no classified or sensitive databases were compromised, restoring full functionality after temporary access disruptions. SRI noted Killnet’s Eastern origin and pro-Russian alignment but underscored primary cybersecurity responsibility for the targeted infrastructures lay with their respective operators, not intelligence agencies.