Administrația Națională Apele Române (Romanian Waters) and the Romanian National Cyber Security Directorate (DNSC) said a ransomware attack that began on December 20 has compromised around 1,000 of the agency’s computer systems, and spread to ten of the country’s 11 river basin management organisations. The DNSC said it was investigating the incident.
Romanian Waters said its geographical information system application servers, database servers, Windows workstations and servers, email and web servers, and domain name servers were affected, and that its public website remained offline so official information was being shared via alternative channels.
Authorities said the agency’s core hydrotechnical operations and local on-site control continued to run normally and were not affected, even as IT teams worked to investigate and remediate roughly 1,000 impacted systems.
Files were encrypted and attackers left ransom notes demanding that Romanian Waters begin negotiations within seven days. The DNSC reported that the intruders exploited Windows BitLocker to encrypt files, a detail the agency said could indicate the attack did not use a known ransomware group’s payload. The DNSC stated victims should not contact or negotiate with attackers and warned against contacting IT teams so they could focus on restoration.
Romanian Waters’ network was not connected to Romania’s system for protecting critical national infrastructure, the DNSC said. Officials said steps had begun to integrate the agency’s infrastructure into national cyber-protection systems to improve monitoring and detection.
Officials described the incident as the latest in a series of cyber-attacks affecting water authorities and other critical services. Investigation and remediation work on the impacted systems is ongoing, and authorities said they would provide further details as they become available.