Beginning at 04:05 EEST on 29 April 2022, a series of multiple denial-of-service attack (DDoS) attacks were launched against several Romanian government, military, bank and mass media websites. Behind the attacks was the pro-Kremlin hacking group Killnet, who resorted to this in response to a declaration made by Florin Cîțu, the then-president of the senate of Romania, that Romania would provide Ukraine with military aid. The Russian Federation, who invaded the latter, publicly spoke against Western military support for Ukraine, stating that it would result in "lightning-fast retaliatory strikes". The DDoS attacks continued until 1 May.
On 26 April 2022, the president of the chamber of deputies of Romania, Marcel Ciolacu, the prime minister, Nicolae Ciucă, and the minister of foreign affairs, Bogdan Aurescu, visited Kyiv in Ukraine to meet the Ukrainian president, Volodymyr Zelenskyy, the prime minister, Denys Shmyhal, and the president of the Verkhovna Rada, Ruslan Stefanchuk. In the meeting, Romania reiterated its support for Ukraine and its European integration aspirations, as well as committing to active involvement in the reconstruction of the country.[1]
The meeting was planned since as early as 13 April, with the Romanian delegation initially consisting of the president of the senate of Romania, Cîțu, and the president of the chamber of deputies, Marcel Ciolacu, both visiting Kyiv on 27 April at the invitation of Stefanchuk.[2] Prime Minister Ciucă justified the absence of Cîțu around the fact that there were two state visits separately planned, under condition by the safety measures imposed in Kyiv due to the 2022 Russian invasion of Ukraine.[3] Nevertheless, Florin Cîțu visited Kyiv by himself on 27 April 2022,[4] after which he stated that Romania should do more for Ukraine, supporting them with military equipment.[5]
Russia claimed that Western military support for Ukraine are "posing a threat to European security". The Russian president, Vladimir Putin, stated that "if someone intends to intervene in the ongoing events [Russian invasion of Ukraine] from the outside, and create strategic threats for Russia that are unacceptable to us, they should know that our retaliatory strikes will be lightning-fast".[6]
On 29 April 2022, at 04:05 EEST, the websites of the Ministry of National Defence (MApN), the Romanian Border Police, the Government of Romania and of CFR Călători were taken down by a DDoS attack. According to the MApN, the cyberattack did not compromise the functioning of its website, but rather prevented user access to it. The government stated that IT specialists at the structures at governmental level are collaborating with experts from specialized institutions to restore access and identify the causes. In the meantime, CFR Călători issued alternative means of purchasing train tickets digitally.[7]
The Romanian Intelligence Service (SRI) stated that the hackers behind the cyberattack used network equipment from outside Romania.[8] The pro-Kremlin hacking group Killnet claimed the attacks through Telegram, stating that "the president of the Romanian Senate, Marcel Ciolacu issued a statement promising the Ukrainian authorities "maximum assistance" in supplying lethal weapons to Kyiv". Furthermore, they revealed a list of websites that it took down through the DDoS attack, where the website of OTP Bank (the Romanian division) was also listed.[9] The Directorate for Investigating Organized Crime and Terrorism (DIICOT) was notified in the case, and access to the websites was restored.[10]
At 19:30 EEST, another DDoS attack was launched, this time on the website of the Ciolacu-led Social Democratic Party (PSD), taking it down in a similar manner. In response, the party's IT department quickly took action and restored access to the website within 15 minutes.
In retaliation, Romania's National Cybersecurity Directorate (DNSC) published a list of 266 IP addresses involved in the 29 April DDoS attacks to its official website. On 30 April, at approximatively 2:30 EEST, this website had also been taken down through a further DDoS attack by the pro-Kremlin hacking group, with user access restored by 8:30 EEST.[11] Later the same day, a further DDoS attack took down the website of the Romanian Police.[12]
The pro-Kremlin hacking group threatened to take down another 300 Romanian websites in a similar manner, including websites of stores, military, government, mass-media, banks, hospitals, educational institutions, political parties, etc. Some websites using Moldovan (.md) domains were also included in the list.[13]
On 1 May 2022, Killnet took down the websites of seven Romanian airports (including those located in Bucharest, Cluj-Napoca, etc.), as well as of the TAROM airline and several news media websites, including Digi24, among others.[14]
It has been suspected that a Romanian resident in the United Kingdom helped Killnet take down Romanian websites, translating content in Romanian into Russian. They were put in custody.[15] In retaliation, Killnet threatened to "destroy Romania, the United Kingdom and Moldova" if they were not released within 48 hours.[16]
Romania's minister of defence, Vasile Dîncu described the cyberattacks as "symbolic attacks".[17] Marcel Ciolacu called his nominalization as "Senate president" by Killnet a mistake (as the presidency of the senate was held by Cîțu),[18] and stated that "if needed, Romania is ready both legally and morally to take this step [to supply Ukraine with military equipment]. At this moment [at the time of the first attacks], there is no decision".[19] In the meantime, the Romanian hacking group "Anonymous Romania" stated that it launched a counterattack against a Russian governmental website.[20]
Cîțu reacted as well: "First of all, I do not know what kind of hackers are those who do not know who the president of the Senate or the president of the Chamber of Deputies is [...]. Secondly, if we look at that [Killnet's] statement it is bizarre to have the picture of the President of the Chamber of Deputies, to have the correct name, but to mistake his position [...]. A simple search on Wikipedia and you would have found out who the president of the Senate is".[21]