2022 DDoS attacks on Romania explained

Beginning at 04:05 EEST on 29 April 2022, a series of multiple denial-of-service attack (DDoS) attacks were launched against several Romanian government, military, bank and mass media websites. Behind the attacks was the pro-Kremlin hacking group Killnet, who resorted to this in response to a declaration made by Florin Cîțu, the then-president of the senate of Romania, that Romania would provide Ukraine with military aid. The Russian Federation, who invaded the latter, publicly spoke against Western military support for Ukraine, stating that it would result in "lightning-fast retaliatory strikes". The DDoS attacks continued until 1 May.

Background

On 26 April 2022, the president of the chamber of deputies of Romania, Marcel Ciolacu, the prime minister, Nicolae Ciucă, and the minister of foreign affairs, Bogdan Aurescu, visited Kyiv in Ukraine to meet the Ukrainian president, Volodymyr Zelenskyy, the prime minister, Denys Shmyhal, and the president of the Verkhovna Rada, Ruslan Stefanchuk. In the meeting, Romania reiterated its support for Ukraine and its European integration aspirations, as well as committing to active involvement in the reconstruction of the country.[1]

The meeting was planned since as early as 13 April, with the Romanian delegation initially consisting of the president of the senate of Romania, Cîțu, and the president of the chamber of deputies, Marcel Ciolacu, both visiting Kyiv on 27 April at the invitation of Stefanchuk.[2] Prime Minister Ciucă justified the absence of Cîțu around the fact that there were two state visits separately planned, under condition by the safety measures imposed in Kyiv due to the 2022 Russian invasion of Ukraine.[3] Nevertheless, Florin Cîțu visited Kyiv by himself on 27 April 2022,[4] after which he stated that Romania should do more for Ukraine, supporting them with military equipment.[5]

Russia claimed that Western military support for Ukraine are "posing a threat to European security". The Russian president, Vladimir Putin, stated that "if someone intends to intervene in the ongoing events [Russian invasion of Ukraine] from the outside, and create strategic threats for Russia that are unacceptable to us, they should know that our retaliatory strikes will be lightning-fast".[6]

Cyber attack

On 29 April 2022, at 04:05 EEST, the websites of the Ministry of National Defence (MApN), the Romanian Border Police, the Government of Romania and of CFR Călători were taken down by a DDoS attack. According to the MApN, the cyberattack did not compromise the functioning of its website, but rather prevented user access to it. The government stated that IT specialists at the structures at governmental level are collaborating with experts from specialized institutions to restore access and identify the causes. In the meantime, CFR Călători issued alternative means of purchasing train tickets digitally.[7]

The Romanian Intelligence Service (SRI) stated that the hackers behind the cyberattack used network equipment from outside Romania.[8] The pro-Kremlin hacking group Killnet claimed the attacks through Telegram, stating that "the president of the Romanian Senate, Marcel Ciolacu issued a statement promising the Ukrainian authorities "maximum assistance" in supplying lethal weapons to Kyiv". Furthermore, they revealed a list of websites that it took down through the DDoS attack, where the website of OTP Bank (the Romanian division) was also listed.[9] The Directorate for Investigating Organized Crime and Terrorism (DIICOT) was notified in the case, and access to the websites was restored.[10]

At 19:30 EEST, another DDoS attack was launched, this time on the website of the Ciolacu-led Social Democratic Party (PSD), taking it down in a similar manner. In response, the party's IT department quickly took action and restored access to the website within 15 minutes.

In retaliation, Romania's National Cybersecurity Directorate (DNSC) published a list of 266 IP addresses involved in the 29 April DDoS attacks to its official website. On 30 April, at approximatively 2:30 EEST, this website had also been taken down through a further DDoS attack by the pro-Kremlin hacking group, with user access restored by 8:30 EEST.[11] Later the same day, a further DDoS attack took down the website of the Romanian Police.[12]

The pro-Kremlin hacking group threatened to take down another 300 Romanian websites in a similar manner, including websites of stores, military, government, mass-media, banks, hospitals, educational institutions, political parties, etc. Some websites using Moldovan (.md) domains were also included in the list.[13]

On 1 May 2022, Killnet took down the websites of seven Romanian airports (including those located in Bucharest, Cluj-Napoca, etc.), as well as of the TAROM airline and several news media websites, including Digi24, among others.[14]

It has been suspected that a Romanian resident in the United Kingdom helped Killnet take down Romanian websites, translating content in Romanian into Russian. They were put in custody.[15] In retaliation, Killnet threatened to "destroy Romania, the United Kingdom and Moldova" if they were not released within 48 hours.[16]

Public reactions

Romania's minister of defence, Vasile Dîncu described the cyberattacks as "symbolic attacks".[17] Marcel Ciolacu called his nominalization as "Senate president" by Killnet a mistake (as the presidency of the senate was held by Cîțu),[18] and stated that "if needed, Romania is ready both legally and morally to take this step [to supply Ukraine with military equipment]. At this moment [at the time of the first attacks], there is no decision".[19] In the meantime, the Romanian hacking group "Anonymous Romania" stated that it launched a counterattack against a Russian governmental website.[20]

Cîțu reacted as well: "First of all, I do not know what kind of hackers are those who do not know who the president of the Senate or the president of the Chamber of Deputies is [...]. Secondly, if we look at that [Killnet's] statement it is bizarre to have the picture of the President of the Chamber of Deputies, to have the correct name, but to mistake his position [...]. A simple search on Wikipedia and you would have found out who the president of the Senate is".[21]

See also

Notes and References

  1. Web site: Imagini cu Marcel Ciolacu și Nicolae Ciucă la Kiev, cu Volodimir Zelenski. Vizita ar fi trebuit să aibă loc mâine, împreună cu Florin Cîțu . 2022-04-29 . Antena3 . ro . Images of Marcel Ciolacu and Nicolae Ciucă in Kiev, with Volodimir Zelenski. The visit should have taken place tomorrow, together with Florin Cîțu.
  2. Web site: Marcel Ciolacu și Florin Cîțu merg la Kiev pe 27 aprilie . 2022-04-29 . www.digi24.ro . ro.
  3. Web site: De ce nu a fost Florin Cîțu în Ucraina alături de Ciucă și Ciolacu. Explicația premierului . 2022-04-29 . www.antena3.ro . Romanian.
  4. Web site: Primele imagini cu Florin Cîțu în Ucraina: "Ceea ce am văzut deschide ochii lumii asupra acțiunilor Rusiei" . 2022-04-29 . www.antena3.ro . Romanian.
  5. Web site: Marcel Ciolacu, despre trimiterea de arme în Ucraina: "Dacă este nevoie, România este pregătită să facă acest pas" . 2022-04-29 . www.antena3.ro . Romanian.
  6. Web site: 2022-04-28 . Russia says pumping Ukraine with weapons is threat to European security . 2022-04-29 . Reuters .
  7. Web site: Val de atacuri cibernetice în România. Vizate mai multe instituții, între care Guvernul și Ministerul Apărării / Atacurile, revendicate de hackerii pro-ruși de la Killnet . 2022-04-29 . economie.hotnews.ro . ro.
  8. Web site: Atacurile cibernetice care au vizat Guvernul și MApN. SRI: Hackerii au folosit echipamente de rețea din afara României, profitând de vulnerabilități ale site-urilor . 2022-04-29 . www.hotnews.ro . ro.
  9. Web site: Cine este gruparea de hackeri Killnet care a atacat site-urile Guvernului și Armatei României . 2022-04-29 . economie.hotnews.ro . ro.
  10. Web site: Site-ul PSD inactiv după ce a fost atacat de hakerii ruși de la Killnet . 2022-04-29 . www.antena3.ro . Romanian.
  11. Web site: Continuă seria de atacuri de tip DDoS asupra site-urilor românești . 2022-04-30 . www.antena3.ro . Romanian.
  12. Web site: 2022-04-30 . UPDATE Site-ul Poliției Române a fost atacat cibernetic "într-un mod similar ca celelalte instituții" (surse)/ Problema a fost remediată în aproximativ o oră de la anunțul Poliției/ Hackerii pro-ruși Killnet au amenințat că vor ataca peste 300 de entități din România . 2022-04-30 . . ro-RO.
  13. Web site: Gruparea Killnet amenință că va ataca cibernetic alte aproape 300 de site-uri din România . 2022-05-01 . economie.hotnews.ro . ro.
  14. Web site: Site-urile marilor aeroporturi din România nu funcționează. Hackerii ruși de la Killnet revendică atacul . 2022-05-01 . Digi24 . ro.
  15. Web site: 2022-05-03 . Un român din Marea Britanie, suspectat că a ajutat gruparea de hackeri ruși Killnet pentru a ataca site-uri din România. Bode: "Cetăţeanul este în custodia autorităţilor şi este audiat" . 2022-05-04 . G4 Media . ro.
  16. Web site: 2022-05-03 . Killnet confirmă sprijinul românului Ioan Feher și amenință că va "distruge România, Marea Britanie și Moldova" dacă nu va fi eliberat: "Dacă susține Rusia, nu înseamnă că e un criminal"/ Este vizat Ministerul Sănătății . 2022-05-04 . G4 Media . ro-RO.
  17. Web site: Reacția lui Vasile Dîncu după ce grupul pro-rus Killnet a atacat cibernetic România: "Este un atac simbolic" . 2022-04-30 . Stirileprotv.ro . ro.
  18. Web site: Ciolacu spune că hackerii ruși l-au confundat cu Cîțu: E o greșeală acolo, sunt și eu . 2022-04-30 . www.digi24.ro . ro.
  19. Web site: Ce spune Marcel Ciolacu, președintele Camerei Deputaților, despre motivele invocate de hackerii Killnet: E o greșeală acolo . 2022-04-30 . ZF.ro . ro.
  20. Web site: 2022-04-29 . Grupul de hackeri Anonymous România susține că a atacat un site guvernamental din Rusia ca răspuns la acțiunile grupării ruse Killnet . 2022-04-30 . G4 Media . ro-RO.
  21. Web site: Cîțu, deranjat că a fost confundat cu Ciolacu: Ce hackeri sunt ăia care nu știu cine e șeful Senatului? Dădeai search pe Wikipedia . 2022-05-02 . www.digi24.ro . ro.