Cyber Incident Victim: CFR Călători
Date:
Apr 2022
Location:
Romania
Summary
A series of DDoS attacks targeted multiple Romanian entities, including CFR Călători, government institutions, and a financial organization, causing temporary website disruptions by blocking user access. The pro-Russian hacker group Killnet claimed responsibility, exploiting network equipment vulnerabilities outside Romania to launch the attacks. Affected sites, which did not host sensitive or classified databases, experienced no data compromise. National cybersecurity teams collaborated to restore services, confirming the attacks impacted only public-facing web resources without breaching internal infrastructure or affecting operational continuity. Killnet's actions aligned with prior attacks against NATO and other Eastern European nations, though Romania's critical IT infrastructure systems remained unaffected.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On April 29, 2022, multiple Romanian government and institutional websites, including CFR Călători (cfrcalatori.ro), experienced distributed denial-of-service (DDoS) attacks beginning in the early morning hours. The attacks simultaneously targeted gov.ro (Government of Romania), mapn.ro (Ministry of National Defense), politiadefrontiera.ro (Border Police), and OTP Bank's website. Initial government announcements confirmed the DDoS disruptions at approximately 04:05 local time, with the Ministry of National Defense (MApN) specifically noting the attack on its site began at that exact timestamp. The pro-Russian hacker group Killnet claimed responsibility for the coordinated attacks, aligning with its established pattern of targeting Eastern European and NATO-affiliated entities earlier that month. Romania's National CYBERINT Center, operating under the Romanian Intelligence Service (SRI), attributed the attacks to foreign-based network equipment compromised through exploitation of cybersecurity vulnerabilities, particularly inadequate security measures on those devices.
The attacks caused temporary service disruptions, rendering affected websites inaccessible to users for varying periods. MApN confirmed its site was restored to functionality following remediation efforts by its Cyber Defense Command (CApC), emphasizing that no sensitive or classified databases were compromised since its public site operated independently from internal classified networks. Similarly, OTP Bank reported its website experienced only brief downtime without compromising customer data or core banking infrastructure. CFR Călători’s website disruption mirrored these temporary accessibility issues, though specific restoration timelines weren’t detailed. SRI clarified that none of the targeted sites formed part of Romania’s national critical IT infrastructure (ȚIȚEICA) under its protection mandate but confirmed collaboration with relevant entities to investigate the attacks and mitigate impacts. Technical responses included coordinated efforts between government IT specialists and institutional cybersecurity teams to restore services and analyze attack vectors, with gov.ro being among the first restored. Killnet’s geopolitical motivations were evident through its public claims and prior attacks against U.S., Polish, Czech, Estonian, and NATO digital assets earlier in April 2022.