Romania’s national oil pipeline firm Conpet reports cyberattack

Romania’s national oil pipeline operator Conpet said a cyberattack disrupted its business systems and temporarily knocked its website offline.

Conpet is a state-controlled company that owns and operates the country’s crude oil, condensate, and liquid petroleum product pipeline network. Its main role is to transport oil from domestic production fields and import points to refineries across Romania.

A company press release states that it detected a cyberattack on February 3, 2026, which impacted the company’s business IT infrastructure.

CONPET clarifies that operational technologies were not affected, including the SCADA and telecommunications systems, and that the National Oil Transport System continues to operate normally without disruptions or safety issues. Oil and fuel transport activities remain fully functional.

As a consequence of the incident, the company’s website (www.conpet.ro) is currently inaccessible.

The company reports that its internal specialists immediately activated mitigation measures and are working closely with Romania’s national cybersecurity authorities to investigate the incident and restore affected systems as quickly as possible.

On the same day, CONPET also filed a criminal complaint with Directorate for Investigating Organized Crime and Terrorism (DIICOT), Romania’s organized crime and terrorism investigation directorate.

Finally, the pipeline operator emphasizes that the incident does not affect its operational activity, financial stability, or ability to meet contractual obligations.

“CONPET S.A. informs about the fact that, on 03.02.2026, there was a cyber attack that affected the business IT infrastructure of the company.” reads the press release published by the company.

“We mention that the operational technologies (SCADA System and Telecommunication System) have not been affected, thus the basic activity of the society, consisting of the transport of oil and gasoline through the National Oil Transport System, operates in normal parameters and there are no synchronization in its operation.”

The company did not provide technical details about the attack, however, the ransomware group Qilin added the company to its Tor data leak site on February 5, 2026. The extortion group claims the theft of 1TB of sensitive data and published images of stolen data as proof of the hack.

Qilin ransomware operation has been active since 2022, it has become one of the most active RaaS groups in 2025, claiming over 40 victims monthly and peaking at 100 in June. Recently, Resecurity’s researchers detailed how the Qilin RaaS group relies on global bulletproof hosting networks to support its extortion operations.

In early October, DragonForce, LockBit, and Qilin formed a ransomware alliance to boost attack effectiveness, marking a major shift in the cyber threat landscape. Ransomware groups DragonForce, LockBit, and Qilin formed a strategic alliance to enhance their attack capabilities, signaling an evolving cyber threat landscape. The alliance aims at sharing tools and infrastructure to enhance attack effectiveness. 

Recently, other critical infrastructure operators in Romania have suffered ransomware attacks, including Romania’s largest coal-based power producer Oltenia Energy Complex and Romanian energy supplier Electrica Group. 

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – malware, Conpet)