Cyber Incident Victim: Politia de Frontiera Romana
Date:
Apr 2022
Location:
Romania
Summary
A pro-Russian hacker group known as Killnet conducted distributed denial-of-service (DDoS) attacks targeting multiple Romanian government and financial websites, including those of the border police, defense ministry, national railway operator, and a commercial bank. The attacks temporarily disrupted public access to the affected sites but did not compromise sensitive data or classified systems, as the targeted webpages reportedly contained only public information. Romania's National Cyberint Center attributed the attacks to externally located network equipment exploited through cybersecurity vulnerabilities, emphasizing that the impacted infrastructure fell outside national critical IT protection systems. Services were restored within hours, with authorities confirming no operational disruptions to internal networks or financial transactions. The incident mirrored similar DDoS campaigns by Killnet against NATO-aligned nations during this period.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On the morning of April 29, 2022, a series of distributed denial-of-service (DDoS) cyberattacks disrupted access to multiple Romanian government and financial websites, including gov.ro (Government of Romania), mapn.ro (Ministry of National Defense), politiadefrontiera.ro (Romanian Border Police), cfrcalatori.ro (CFR Călători railway operator), and otpbank.ro (OTP Bank Romania). The attacks began as early as 04:05 local time, targeting the public-facing websites with high-volume traffic floods designed to overwhelm servers. Initial disruptions rendered these sites temporarily inaccessible to users. The Romanian government confirmed the incident, noting that IT specialists from relevant governmental structures collaborated with specialized institutions to restore access and investigate causes. By the time of official announcements, access to www.gov.ro had already been restored, while the Ministry of National Defense (MApN) website remained nonfunctional for a period before specialists from its Cyber Defense Command (CApC) restored service later that day.
The pro-Russian hacker group Killnet claimed responsibility for the attacks, aligning with its pattern of DDoS operations against NATO-aligned states, including prior April 2022 attacks on institutions in the U.S., Estonia, Poland, Czechia, and NATO itself. Romania’s Intelligence Service (SRI) determined through its National CYBERINT Center that attackers exploited security vulnerabilities in network equipment located outside Romania, compromising these devices to launch the DDoS attacks. MApN and OTP Bank emphasized that no sensitive or classified data was compromised, as the targeted websites hosted only public information and were operationally separate from core systems. MApN confirmed its internal networks and services remained unaffected, while OTP Bank clarified its banking infrastructure and customer data were never breached, with website downtime being brief. SRI noted the attacked sites fell outside Romania’s national critical IT infrastructure protection system (ȚIȚEICA), which it manages, but CYBERINT nonetheless cooperated with responsible entities to investigate and mitigate the attacks due to their scale and national security implications. No data theft or persistent network compromises were reported, with impacts limited to temporary service disruptions.