Cyber Incident Victim: Guvernul României
Date:
Apr 2022
Location:
Romania
Summary
A series of DDoS attacks targeted multiple Romanian government and financial websites, including those of the government, defense ministry, border police, national railway operator, and a bank, causing temporary access disruptions. The pro-Russian hacker group Killnet claimed responsibility, exploiting vulnerabilities in foreign network equipment to launch the attacks. Investigations confirmed the impacted sites did not host sensitive or classified databases, and no data breaches occurred. While the bank's public website experienced brief downtime, its core infrastructure remained unaffected. Cybersecurity teams restored functionality, with authorities emphasizing the targeted sites fell outside Romania's national critical infrastructure protection framework. The incident mirrored similar Killnet attacks against NATO countries and allied institutions.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On April 29, 2022, a series of distributed denial-of-service (DDoS) cyberattacks disrupted access to multiple Romanian government and institutional websites starting in the early morning hours. The affected sites included www.gov.ro (Government of Romania), www.mapn.ro (Ministry of National Defense), politiadefrontiera.ro (Border Police), cfrcalatori.ro (CFR Călători railway operator), and otpbank.ro (OTP Bank Romania). Initial disruptions began at 04:05 when the Ministry of National Defense (MApN) website was targeted. The Romanian government announced the coordinated attacks that morning, noting specialists from governmental IT structures were collaborating with national cybersecurity institutions to restore access and investigate causes. By mid-morning, access to www.gov.ro had been restored, followed later by the MApN site returning to functionality.
The pro-Russian hacker group Killnet claimed responsibility for the attacks, which aligned with their pattern of targeting NATO-associated countries. The Romanian Intelligence Service (SRI) through its National CYBERINT Center confirmed the attackers exploited cybersecurity vulnerabilities in network equipment located outside Romania, compromising these devices to launch the DDoS attacks against Romanian sites. Investigators emphasized the attackers leveraged inadequate cybersecurity measures on these external devices as attack vectors. MApN clarified their website contained no sensitive or classified databases, with the attack only blocking user access without compromising internal systems or other defense networks. Similarly, OTP Bank confirmed its website hosted only public information, with no client data or banking infrastructure affected; their site experienced very brief downtime before full restoration. SRI noted the targeted websites fell outside Romania’s National IT&C Infrastructure Protection System (ŢIŢEICA), which it manages, though CYBERINT cooperated with responsible entities to investigate and mitigate the attacks due to their national security implications. Killnet had previously conducted similar DDoS operations against institutions in the United States, Estonia, Poland, Czechia, and NATO that month. Romanian authorities maintained continuous monitoring and response coordination throughout the incident without reporting data breaches or operational disruptions beyond temporary website inaccessibility.