The Romanian national cyber security and incident response team, DNSC, has issued a statement about a series of distributed denial-of-service (DDoS) attacks targeting several public websites managed by the state entities.
The attack has been claimed by a pro-Russian group calling themselves Killnet. They targeted servers that host public sites with a high number of requests or high volumes of data, essentially depleting their processing resources and causing them to become unavailable.
All websites are currently working. According to the DNSC announcement, attackers targeted the following websites:
- gov.ro (official website of Romania’s Government)
- mapn.ro (official website of Romania’s Ministry of Defense)
- politiadefrontiera.ro (official of Romanian Border Police)
- cfrcalatori.ro (official website of Romania’s National Railway Transport Company)
- otpbank.ro (site of a commercial bank operating in Romanian)
DNSC is now collaborating with other authorities in the country to map these attacks and mitigate their effect. The agency announced that it would publish the IP addresses involved in the attack.
According to the main intelligence service in Romania, SRI, the DDoS attack started at local time 04 A.M. and it originated from compromised network equipment outside the country that had been compromised by exploiting security vulnerabilities. Around 11 A.M., the websites started to be live again.
BleepingComputer learned from the DNSC that the attack targeted web apps (OSI level 7). It was not particularly strong but it likely hit throttling limits on the targets, making the websites unavailable.
The administrators of the affected sites are advised to follow the guidelines provided here and use these indicators of compromise to filter out malicious requests.
Killnet takes responsibility
The group that took responsibility for these attacks is called “Killnet”, and is basically a pro-Russian hacktivist collective.
Killnet explained on in a post on a messaging service that the attacks are in response to a recent statement made by the President of Romania’s Senate (upper house of the Parliament), Marcel Ciolacu [sic. Ciolacu is the president of the Chamber of Deputies, the lower house of Romania’s Parliament], who promised to provide Ukraine with maximum assistance, including weapons
The same group has previously launched DDoS attacks against sites in the U.S., Czech, Estonian, German, and Polish sites, all for similar political reasons, requesting to stop the supply of military weapons and equipment to Ukraine.
Ukraine also targeted
Only yesterday, the Ukrainian computer emergency response team warned about a climaxing DDoS problem that uses the computer resources of website visitors to overwhelm Ukrainian site targets.
These attacks have been going on since at least the end of March 2022, exploiting bad security on WordPress sites to plant malicious JavaScipt that generates requests to attack specific targets.