editorially independent. We may make money when you click on links
to our partners.
Learn More
A ransomware attack has compromised more than 1,000 IT systems at Romania’s national water authority, underscoring the growing cyber risk to essential public services.
The breach impacted IT systems across nearly all regional water basin administrations. Despite the scale, officials emphasized that physical water operations remained unaffected.
“Operational Technologies (OT) were not affected,” said Romania’s National Directorate of Cyber Security.
Systems Affected Across Romania’s Water Authority
Romania’s National Administration Apele Române reported that attackers compromised approximately 1,000 systems across the agency and 10 of its 11 regional water basin administrations, affecting locations including Oradea, Cluj, Iași, Siret, and Buzău.
Impacted assets included GIS application servers, databases, Windows workstations and servers, email and web servers, and DNS infrastructure. Authorities confirmed that hydrotechnical control systems were not affected.
Living-Off-the-Land Ransomware Tactics
Investigators determined that the attackers leveraged BitLocker to encrypt files on compromised systems rather than deploying custom ransomware binaries.
By abusing native operating system functionality that is commonly used by administrators, the activity closely resembled authorized administrative actions, making it more difficult for security tools and staff to immediately distinguish the attack from routine system management.
Ransom notes instructed affected organizations to make contact within seven days.
Although no specific CVE has been publicly disclosed, the incident reflects a broader and increasingly common tactic known as living off the land, in which attackers rely on built-in system utilities to evade signature-based detection and reduce their operational footprint.
While the technical complexity of the approach is relatively moderate, its impact is significant given the number of affected systems and their role in supporting planning, monitoring, and coordination functions within critical water infrastructure.
This combination of low-noise execution and high operational impact underscores the growing risk posed by ransomware techniques that exploit trusted tools rather than overtly malicious code. The investigation into the attack is ongoing.
Building Resilience Against Ransomware
Ransomware incidents increasingly leverage legitimate system tools and misconfigured access controls rather than overtly malicious software.
Reducing risk in these scenarios requires disciplined identity management, continuous monitoring, and strong separation between IT and operational environments.
- Enforce least-privilege access and tightly control administrative rights to prevent abuse of legitimate system tools such as BitLocker.
- Monitor for anomalous behavior involving native utilities, including mass encryption activity, privilege escalation, and unauthorized policy changes.
- Maintain strong segmentation between IT and OT environments and regularly audit controls to prevent lateral movement into operational systems.
- Implement robust backup and recovery practices, including offline backups and regularly tested restoration procedures.
- Reduce attack surface through secure configuration baselines, asset visibility, and restriction of unnecessary services and remote access.
- Test and validate incident response plans through regular ransomware response exercises.
Together, these measures enhance cyber resilience by lowering risk and strengthening an organization’s ability to recover and maintain operations.
Ransomware Targets Critical Infrastructure
This incident aligns with a broader global pattern of ransomware activity targeting public utilities and government agencies, where attackers seek to leverage potential service disruption as a means of coercion.
At the same time, it highlights the importance of strong architectural separation between IT and OT environments, which can help contain incidents and preserve the continuity and safety of essential public services.
These trends are driving many organizations to adopt zero-trust solutions that limit implicit trust and help reduce lateral movement.