Romania’s national water authority, Romanian Waters (Administrația Națională Apele Române), is currently working to recover from a major ransomware attack that began on December 20, 2025.
According to the National Cyber Security Directorate (DNSC) press release, the incident has affected approximately 1,000 computer systems, including workstations, email services, and web servers.
The DNSC is Romania’s official body responsible for protecting the national critical infrastructure. Because water is considered “critical infrastructure” under Romania’s Government Emergency Ordinance No. 98/2010, any threat to its management is seen as a direct risk to national safety.
What was Impacted
The attack spread across the main office and reached 10 out of the 11 regional river management branches, impacting offices in Oradea, Cluj, Iași, Siret, and Buzău. The disruption knocked out several key digital tools:
- Database and Domain Name Servers (DNS).
- Email, web servers, and Windows workstations.
- Geographical Information Systems (GIS) used for mapping water data.
Because the official website remains offline, authorities are sharing information through alternative sources like social media. While digital tools are down, the most vital infrastructure, like dams and flood defences, remains safe, and so does the agency’s Operational Technology (OT). On-site staff are managing these systems manually using radios and telephones to ensure everything continues to run smoothly.
A Hidden Threat in Plain Sight
Initial investigation suggests that the hackers used a unique method to lock the agency out of its files. Instead of a custom virus, they exploited BitLocker, a legitimate security tool built into Windows. By turning this tool against the agency, the hackers encrypted data while making it harder for security software to spot the trouble. However, at this point, the exact way the attackers entered the network is still unknown.
The DNSC confirmed that the attackers left a digital note demanding negotiations within seven days. However, the agency is standing firm. The official policy is “neither contact nor negotiate with cyberattackers” to ensure that criminal activity is not rewarded or funded.
Protecting the Future
It is worth noting that the Romanian Waters network was not yet part of the country’s central cyber-protection system operated by the National Cyberint Center (CNC). However, steps are now being taken to move the agency under this national security umbrella using intelligent technologies.
Currently, technical teams from the Romanian Intelligence Service (SRI) and other state authorities are working to limit the impact. The DNSC recently shared this update:
While the cleanup continues, the public is asked to avoid contacting the agency’s IT staff so they can focus on getting the systems back online.
OT Vulnerabilities and Cyber Threats to Water Infrastructure
The ransomware attack on Romanian Waters highlights a growing trend: operational technology (OT) systems that control physical infrastructure are increasingly under threat from cyber attackers.
Water utilities, dams, treatment plants, and related OT environments combine networked digital systems with physical processes, making them a high‑value target for both criminals and state‑linked actors.
One notable example occurred in Norway earlier in 2025, when attackers breached the control system of a dam and opened its discharge valve for hours by exploiting weak credentials on an exposed control interface. The incident, blamed on pro-Russian hackers, went undetected for several hours, showing how simple security gaps can lead to direct manipulation of infrastructure systems.
In the United States, federal warnings have repeatedly pointed to ransomware and other attacks against water facility ICS/SCADA systems, with multiple facilities impacted over the years.
In the UK, concerns around water infrastructure security are also growing. Investigations have revealed that many control systems used by water companies are exposed online and often lack even the most basic protection.
Additionally, weak passwords, outdated software and poor network segmentation leave these systems open to tampering. If targeted, these flaws could put clean water access, flood defences or treatment facilities at risk. It’s a reminder that while the physical systems may seem secure, the online side of it also needs attention.
Photo by Amritanshu Sikdar on Unsplash)