Romania's national water management authority, Administrația Națională Apele Române (Romanian Waters), was targeted in a sophisticated ransomware attack on December 20, 2025, compromising approximately 1,000 IT systems across the organization. The cyberattack affected 10 of the country's 11 regional water basin administrations, including facilities in Oradea, Cluj, Iași, Siret, and Buzău.
Modus operandi
The attackers employed an unusual tactic by weaponizing Windows BitLocker, a legitimate encryption tool designed to protect data, to lock files on compromised systems. Rather than deploying traditional ransomware, the threat actors exploited this built-in Windows security feature in a "living off the land" approach that differs from typical ransomware group operations. After encrypting the systems, the attackers left ransom notes demanding that officials contact them within seven days.
The breach affected critical IT infrastructure including Geographical Information System servers, database servers, email and web services, Windows workstations, and Domain Name Servers. Romanian Waters' website went offline, forcing the agency to share official updates through alternative communication channels.
Despite the extensive IT compromise, the attack did not affect operational technology systems controlling actual water infrastructure. Water management operations continued through dispatch centers using voice communication channels, with hydrotechnical facilities operated locally by on-site personnel coordinated via radio and telephone. Romanian authorities emphasized that forecasting and flood protection activities remained unaffected, with all water control systems functioning within normal parameters.
Investigation and response
Multiple Romanian security agencies, including the National Cyber Security Directorate and the Romanian Intelligence Service's National Cyberint Center, are investigating the incident. The attack vector has not yet been identified, and no ransomware group or state-backed threat actor has claimed responsibility. Officials issued strict guidance against contacting or negotiating with the attackers, emphasizing that ransom payments fund criminal operations and encourage future attacks.
The incident exposed critical gaps in Romania's infrastructure protection framework, as the water authority's systems were not previously integrated into the national cyber defense network. Authorities have initiated steps to incorporate water infrastructure into the national cybersecurity defense system managed by the National Cyber Intelligence Center.
