Qilin ransomware gang claims theft of 1TB of data from Romania’s oil pipeline operator Conpet

Conpet S.A., Romania’s national oil pipeline operator, confirmed that a ransomware attack last week resulted in the theft of company data, as the Qilin ransomware group claims to have exfiltrated nearly 1 terabyte of internal documents.

The state-controlled company, which operates approximately 3,800 kilometers of pipelines transporting domestic and imported crude oil, gas and condensate to refineries across Romania, said the threat actor breached its corporate IT infrastructure. Operational technology systems, including supervisory control and data acquisition systems and telecommunications infrastructure, remained fully functional, and oil transport operations were not disrupted.

“The incident does not affect the operational activity, the stability of the company, or the ability of the entity to fulfill its contractual obligations,” Conpet said in a statement.

In an updated notice, Conpet said it is working closely with Romania’s National Cyber Security Directorate to investigate the breach and restore affected systems. The company also filed a criminal complaint and took immediate measures to limit the impact of the attack. Its website remained offline as of Friday.

Conpet confirmed that the Qilin ransomware attack involved data exfiltration but said the volume of stolen information cannot yet be determined due to the ongoing investigation.

The Qilin group has listed Conpet on its dark web leak site and claims to have stolen nearly 1 terabyte of documents. The group published 16 images of what it described as internal company documents as proof of the breach. The leaked samples include financial records and passport scans, some marked confidential and dated as recently as November 2025.

Certain documents contain personal data, including names, postal addresses, personal identification numbers and bank account numbers.

In its latest update, Conpet warned that compromised data could be used for fraudulent purposes. The company urged potentially affected individuals to exercise caution regarding urgent requests received by phone, email or other communication channels. It advised verifying the legitimacy of any such request by contacting the organization directly through official contact details listed on its website or verified social media accounts.

Qilin, a Russian-speaking ransomware-as-a-service operation active since 2022, has emerged as one of the most prolific ransomware groups in recent years. The gang has previously targeted hospitals, government agencies and private companies worldwide, publishing stolen data to pressure victims into paying ransoms.