Romania’s national water authority hit by ransomware attack affecting about 1,000 systems

Romania’s national water management authority, Administrația Națională Apele Române, was struck by a ransomware attack over the weekend that disrupted information technology systems across much of the organization but left water operations and infrastructure controls unaffected.

Officials from the National Cyber Security Directorate said Sunday that the incident impacted roughly 1,000 computer systems at the water authority, including systems at 10 of its 11 regional offices. The affected assets included servers running geographic information systems, databases, email and web services, as well as Windows workstations and domain name servers.

Authorities said operational technology systems that control dams, reservoirs and other hydrotechnical infrastructure were not compromised. Water management operations continued normally throughout the incident.

Multiple Romanian security agencies are investigating the attack, including the Romanian Intelligence Service through its National Cyberint Center. Investigators determined that the attackers used the built-in Windows BitLocker encryption feature to lock files on compromised systems. A ransom note was left on affected machines instructing victims to make contact within seven days.

In a public advisory, the National Cyber Security Directorate said hydrotechnical assets are operated locally by service personnel and coordinated through dispatch centers that rely on voice communications. Officials stated that these systems remain secure and that all structures are functioning safely.

The cybersecurity agency also confirmed that the national water authority’s infrastructure had not been integrated into Romania’s national cybersecurity protection system for critical IT infrastructure prior to the attack. Work is now underway to bring the authority’s systems under protective mechanisms operated by the National Cyberint Center.

In an update issued Monday, officials said the initial infection vector has not yet been identified. Dispatching, flood forecasting and flood protection activities were reported to be operating within normal parameters using telephone and radio communications.

No ransomware group or state-linked threat actor has claimed responsibility, and Romanian Waters has not attributed the incident. The attack comes amid heightened concern across Europe over cyber threats to critical infrastructure. In recent years, Romania has experienced several high-impact cyber incidents, including a breach at Electrica Group, a major electricity supplier and distributor, and a nationwide ransomware attack in early 2024 that forced more than 100 hospitals to temporarily shut down their digital systems.