Romanian Waters confirms cyberattack, critical water operations unaffected

Romanian Waters confirms cyberattack, critical water operations unaffected

Pierluigi Paganini
December 22, 2025

Romania’s national water management authority, Romanian Waters, was hit by a ransomware attack over the weekend.

Romanian Waters (Administrația Națională Apele Române), the country’s water management authority, suffered a ransomware attack over the weekend.

According to the National Cyber Security Directorate (DNSC), the incident affected around 1,000 computer systems across the central organization and 10 of its 11 regional offices. The attack disrupted IT assets, including GIS servers, databases, email and web services, Windows workstations, and domain name servers.

Authorities stressed that operational technology (OT) systems managing water infrastructure were not impacted, and water operations continue to function normally.

“The National Directorate of Cyber ​​Security (DNSC) was notified on December 20, 2025 of a ransomware cyber attack on several workstations and servers belonging to the National Romanian Waters Administration and a number of 10 (out of 11) water basin administrations in the country, including Oradea, Cluj, Iași, Siret, Buzău.” reads the press release published by DNSC. “Due to this cyber incident, approximately 1,000 IT&C systems were compromised, including Geographical Information System (GIS) application servers, database servers, Windows workstations, Windows Server servers, email/web servers, and Domain Name Servers (DNS).”

Technical teams from the DNSC, Romanian Waters, the SRI’s National Cyberint Center, affected entities, and other authorities are actively investigating the incident and working to contain its impact. DNSC states that the Romanian Waters’ infrastructure is not yet connected to the national cyber protection system operated by CNC. Authorities have started the process to integrate it into CNC’s security platforms, which use advanced technologies to protect critical public and private IT and communications infrastructure from cyber threats.

Government experts who are investigating the incident confirmed that threat actors used Windows BitLocker to encrypt systems and issued a ransom note demanding contact within seven days. However at this time, the attack vector has not yet been identified.

DNSC reiterated its strict advice not to contact or negotiate with ransomware actors to avoid encouraging and funding cybercrime.

“We recommend that the IT&C teams of the Romanian Waters National Administration or the basin administrations not be contacted, so that they can focus on restoring IT services!” concludes the report

In early December, CISA, alongside the FBI, NSA, Europol’s EC3, and other global partners, warned that pro-Russia hacktivist groups such as Z-Pentest, Sector16, NoName, and the Cyber Army of Russia Reborn are actively targeting critical infrastructure organizations worldwide.

In early December, US CISA together with the FBI, NSA, European Cybercrime Centre (EC3), and various other cybersecurity and law enforcement agencies worldwide, warned that pro-Russia hacktivist groups, including Z-Pentest, Sector16, NoName, and CARR (Cyber Army of Russia Reborn), are targeting critical infrastructure organizations worldwide.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon