High speed Internet connections make Romanian users very attractive to attackers. "The fact that Romania has an very good Internet connection is to our disadvantage, because any attacker want to have as victims systems that can react quickly, and we provide this kind of systems.(…) "We are what they would like very much: a broadband which one to use to manage attacks further", said Deputy General Manager of CERT-RO (National Response Centre for Cyber Security Incidents), Mr. Mircea Grigoraş.

On 15/03/2016, held a meeting CSAT (Supreme Council of National Defence) in which they were approved "Report on the work CERT-RO" for 2015 and "Annual Activity Plan of CERT-RO for 2016".


According to the "Report on cyber security alerts" processed in 2015 (annex to the annual activity report), CERT-RO collected and processed 68,206,856 cyber security alerts. Through cybersecurity alert is understood in the context of this report, any reporting that contains an IP address or a domain name (URL) related to an cybersecurity incident or possible event, which involves or may involve systems from national cyberspace, owned or managed by individuals or companies in Romania.

After analyzing security alerts collected by CERT-RO in 2015 were found the following:

  • A number of 2,321,931 unique IP addresses, representing 26% of total unique IP addresses related to national cyberspace were extracted from alerts collected by CERT-RO in 2015.
  • 17,088 „.ro” domains were reported to CERT-RO as being compromised in 2015, increasing by approximate 58% compared to 2014 (10,759). From the total of 855,997 registered domain in Romania in February 2015, number represents approximately 2% of all ".ro" domains and about 6.5% of all ".ro" active domains.
  • 78% (53 mln.) of collected and processed alerts are targeting vulnerable systems, in that it is not secured or improperly configured. Some of these vulnerable systems are used by attackers to launch cyber attacks on other targets and for masking identity, most often not necessary to compromise them but simply using available services (eg: DNS servers like "Open Resolver", Proxy servers without authentication, NTP servers configured incorrectly, etc.).
  • 20.78% (14 mln.) of collected and processed alerts are targeting infected systems with different variants of malicious software (malware) botnet, characterized by the fact that has mechanisms that allow attackers to remotely control infected systems.
  • 64% (3 mln.) of the total number of incidents resulting from the processing of alerts are systems that are part of botnet networks, which can be used in running cyber attacks on targets from Romania or outside the country.
Click for more informations here (in romanian)

Most alerts from last year relates to vulnerable systems (78.3%) who were not necessarily compromised, followed by botnets (20.78%). From the 68 million alerts last year CERT-RO identified 2.3 million unique IPs, which represents 26% of all IPs allocated to all organizations in Romania.

The most common types of incidents are:

  1. Compromising websites caused by outdated and vulnerable CMS platforms;
  2. Workstations infection with different variants of malware (viruses), in particular ransomware, caused by accessing malicious links and attachments, amid outdated operating systems and applications.

Necessary measures to avoid such incidents are many, among them are updating operating systems and avoiding the use of old and no longer supported operating systems, websites reconstruction for websites built on outdated or no longer supported CMS platform and updating CMS platforms that still provide support.
Besides these basic steps, it is recommended to consult a specialist in computer security company to carry out regular backups of your data on a machine or a separate storage medium.

Cyber Security