Romania’s national water management authority, Romanian Waters (Administrația Națională Apele Române), confirmed being the victim of a ransomware attack during the weekend of December 20, 2025.
According to the National Cybersecurity Directorate (DNSC), the incident affected approximately 1,000 computer systems in the central organization and in 10 of its 11 regional offices.
Impact on IT and OT Systems
The ransomware attack disrupted a variety of IT assets, including Geographic Information System (GIS) servers, databases, email and web services, Windows workstations, and domain name servers (DNS).
Romanian authorities highlighted that while IT systems were compromised, operational technology (OT) systems that manage water infrastructure were not affected. Critical water operations continue to operate normally, ensuring supply.
Attack Details and Response
The DNSC was notified of the incident on December 20. Technical teams from the DNSC, Romanian Waters, the SRI National Cyberint Center and other authorities are actively investigating the incident and working to contain its impact.
Government experts confirmed that the threat actors used Windows BitLocker to encrypt the compromised systems and left a ransom note. The initial attack vector has not yet been identified.
Recommendations and Threat Context
The DNSC strongly recommended not to contact or negotiate with cybercriminals to avoid encouraging and financing cybercrime.
The incident comes weeks after CISA, along with the FBI, NSA and Europol, issued a warning about pro-Russian hacktivist groups, such as Z-Pentest, Sector16, NoName and the Cyber Army of Russia Reborn, which are actively attacking critical infrastructure organizations around the world.
Conclusions
Although Romania’s critical water infrastructure managed to mitigate the operational impact of the attack, the incident underscores the vulnerability of critical infrastructure information technology networks to ransomware threats. The rapid response of authorities and the containment of the attack on OT systems were crucial to avoid interruptions to essential services.
References
- DNSC press release (mentioned in the text)
- CISA/FBI/NSA/Europol warning on pro-Russian groups (mentioned in text)