Romanian Waters (Administrația Națională Apele Române), the country's water management authority, was hit by a ransomware attack over the weekend.

Officials with the National Cyber Security Directorate (DNSC) said Sunday that the incident impacted approximately 1,000 computer systems at the national water authority and 10 of its 11 regional offices.

While the breach affected servers running geographic information systems, databases, email, and web services, as well as Windows workstations and domain name servers, operations and operational technology (OT) systems controlling water infrastructure are unaffected.

Investigators from multiple Romanian security agencies, including the Romanian Intelligence Service's National Cyberint Center, who are now investigating the incident and working to contain its impact, have found that the attackers used the built-in Windows BitLocker security feature to lock files on compromised systems, then left a ransom note demanding that they be contacted within 7 days.

"The National Administration of Romanian Waters specifies that the operation of hydrotechnical assets is carried out only through dispatch centers using voice communications. Hydrotechnical constructions are safe and are operated locally by service personnel and coordinated by dispatch centers," the DNSC said in a Sunday advisory.

The Romanian cybersecurity agency stated that while the country's national cybersecurity system for critical IT infrastructure did not protect the water management authority's infrastructure before the attack, authorities are now working to integrate it into protective systems operated by the National Cyberint Center.

Investigation ongoing, no attribution

In an update on Sunday, officials said the attack vector has not yet been identified and that the national water authority's operations remain unaffected by the incident.

"Dispatching and operation of hydrotechnical structures are carried out within normal parameters, using telephone and radio communications. Hydrotechnical structures are safe and are operated locally by service personnel, coordinated by dispatchers. Forecasting and flood protection activities have not been affected," the DNSC added in a Monday update.

While no ransomware operation or state-backed threat group has claimed responsibility to date, and the Romanian Waters agency has yet to attribute the attack, the incident follows Danish intelligence officials' blaming Russia for orchestrating a destructive water-utility cyberattack in 2024.

In early December, together with the FBI, NSA, European Cybercrime Centre (EC3), and various other cybersecurity and law enforcement agencies worldwide, CISA warned that pro-Russia hacktivist groups, including Z-Pentest, Sector16, NoName, and CARR (Cyber Army of Russia Reborn), are targeting critical infrastructure organizations worldwide.

This is the latest major ransomware attack that has hit Romania in recent years. Electrica Group (a major Romanian electricity supplier and distributor) was also breached by the Lynx ransomware gang one year ago, while over 100 hospitals across Romania were forced to take their systems offline after a February 2024 Backmydata ransomware attack disrupted their healthcare management systems.