Romania’s National Administration “Apele Române” (Romanian Waters) disclosed a severe ransomware attack on December 20, 2025, confirming the compromise of approximately 1,000 IT systems across the agency and 10 of its 11 regional water basin administrations.
The incident affected critical information systems supporting national water management and hydrotechnical operations. While the scale of the breach was significant, authorities confirmed that operational technology (OT) systems remained secure, preventing disruptions to essential water services.
Scope of the Compromise
According to investigators, the ransomware attack impacted a broad range of enterprise IT assets, including:
- Geographical Information System (GIS) application servers
- Database servers
- Windows workstations and Windows Server environments
- Email and web servers
- Domain Name System (DNS) servers
This wide attack surface underscores how ransomware operators increasingly target interconnected IT ecosystems within public-sector and critical infrastructure organizations.
BitLocker Exploitation: Living-Off-the-Land Tactics
Investigators determined that attackers abused BitLocker, Microsoft’s legitimate full-disk encryption feature, to encrypt files on compromised systems.
This technique—often described as a living-off-the-land (LotL) attack—allows threat actors to:
- Evade traditional antivirus and endpoint detection tools
- Leverage trusted, built-in system utilities
- Reduce the need for custom malware payloads
The misuse of BitLocker in ransomware campaigns continues to rise, particularly in attacks against government agencies and critical infrastructure operators.
Operational Impact and Regional Reach
The affected water basin administrations include facilities in:
- Oradea
- Cluj
- Iași
- Siret
- Buzău
Attackers left ransom notes instructing victims to initiate contact within seven days. However, Romania’s National Directorate of Cyber Security (DNSC) reaffirmed its long-standing policy against engaging or negotiating with cybercriminals, emphasizing that ransom payments only fuel further criminal activity.
National Cybersecurity Response
Romanian authorities launched a coordinated incident response involving:
- DNSC (National Directorate of Cyber Security)
- National Cyberint Center (CNC) within the Romanian Intelligence Service
- Other national cybersecurity and law enforcement bodies
Technical teams are actively investigating the intrusion, performing forensic analysis, and restoring affected IT services.
Why Water Operations Continued Uninterrupted
Despite the IT disruption, hydrotechnical operations remained fully functional:
- OT systems controlling dams, reservoirs, and flood defenses were isolated and unaffected
- Dispatchers coordinated operations via telephone and radio communications
- On-site personnel manually operated hydrotechnical infrastructure
- Flood forecasting and defense activities continued without interruption
This separation between IT and OT environments played a critical role in maintaining public safety.
Systemic Gaps in Critical Infrastructure Protection
The investigation revealed that Romania’s water management IT infrastructure was not previously integrated into the national cyber protection system operated by the CNC. This framework is designed to safeguard both public and private critical IT infrastructures.
Authorities have since initiated steps to formally onboard Romania’s water infrastructure into this national cybersecurity protection ecosystem.
A Growing Trend: Ransomware Targeting Water Utilities
This incident highlights a broader and concerning trend: ransomware operators increasingly targeting water utilities and essential public services. These organizations often rely on legacy systems, complex supply chains, and limited cybersecurity budgets—making them attractive targets for extortion-focused attacks.
Conclusion: Lessons for Critical Infrastructure Defenders
As the investigation continues, Romanian authorities stress that restoring IT services remains the top priority, while ensuring the continued safety and reliability of national water operations.
For cybersecurity leaders, CISOs, and infrastructure operators, the attack reinforces several key lessons:
- Built-in tools like BitLocker can be weaponized if not properly governed
- Strong IT/OT segmentation is essential for resilience
- National-level cyber protection frameworks must include all critical sectors
Protecting water infrastructure is no longer just an engineering challenge—it is a national cybersecurity imperative.
Key Takeaways
- ~1,000 IT systems across Romania’s water authority were compromised
- Attackers abused BitLocker to encrypt systems without deploying custom ransomware
- OT systems remained secure, preventing service disruptions
- The incident exposed gaps in national critical infrastructure cyber coverage
- Water utilities remain high-value targets for ransomware groups
