Administrația Națională Apele Române (Romanian Waters), the agency responsible for managing the country’s water infrastructure, has been struck by a ransomware attack that compromised approximately 1,000 computer systems across its central organization and ten of its eleven regional river basin offices. The National Cyber Security Directorate (DNSC) confirmed the incident on December 22, 2025, noting that attackers leveraged Windows’ native BitLocker encryption tool to lock files rather than deploying traditional ransomware payloads.
Attack Scope and Affected Systems
The intrusion, which began on December 20, 2025, disrupted a wide range of IT assets including geographic information system (GIS) application servers, database servers, email and web servers, Windows workstations, and domain name servers. Regional offices in Oradea, Cluj, Iași, Siret, and Buzău were among those affected. The agency’s public-facing website remains offline, with official communications now being disseminated through alternative channels.
Despite the scale of the breach, Romanian Waters confirmed that operational technology (OT) systems controlling physical water infrastructure remained unaffected. Hydrotechnical operations, including dam management, flood defense systems, and water distribution monitoring, continue to function normally through dispatch centers using voice communications and manual oversight. This separation between IT and OT environments prevented the attack from disrupting the agency’s core mission of managing Romania’s water resources.
BitLocker Weaponization Suggests Unconventional Tactics
Forensic investigators determined that the attackers used Microsoft’s built-in BitLocker encryption tool to lock access to system drives, a technique that deviates from conventional ransomware deployment. This approach, known in cybersecurity circles as a “living off the land” (LOTL) method, involves abusing legitimate system utilities rather than introducing external malicious software. By leveraging trusted Windows functionality, attackers can evade security controls and make their activities resemble authorized administrative operations.
The use of BitLocker rather than custom encryption malware suggests this may not be the work of an established ransomware operation. However, the attackers did leave ransom notes demanding that Romanian Waters establish contact within seven days, following typical extortion patterns. As of publication, no threat actor or ransomware group has claimed responsibility for the incident, and the initial attack vector remains unidentified.
Infrastructure Protection Gaps Exposed
The incident revealed that Romanian Waters’ network was not integrated into the country’s critical national infrastructure (CNI) protection system operated by the National Cyberint Center (CNC). This monitoring framework, comparable to the UK’s National Cyber Security Centre Early Warning service, routes CNI systems’ traffic through detection tools designed to identify anomalous activity before attacks become disruptive.
DNSC stated that steps are now underway to bring the water management agency under this national security umbrella. Technical teams from the Romanian Intelligence Service (SRI) and other state authorities are currently working to contain the breach and restore affected systems. The cybersecurity directorate reiterated its policy of advising against negotiations with ransomware actors, emphasizing that payment encourages further criminal activity.
European Water Infrastructure Under Growing Pressure
The Romanian incident fits a broader pattern of escalating cyber threats against water utilities across Europe and North America. According to data from Britain’s Drinking Water Inspectorate, UK water suppliers reported fifteen cyberattack incidents between January 2024 and October 2025. In Denmark, pro-Russian hacktivist group Z-Pentest successfully manipulated water pressure controls in the town of Køge during 2024, causing pipe bursts and leaving approximately 500 homes without water for several hours.
In the United States, the Cybersecurity and Infrastructure Security Agency (CISA), alongside the FBI, NSA, and international partners, issued warnings in early December 2025 about pro-Russia hacktivist groups actively targeting critical infrastructure organizations. Groups identified include Z-Pentest, Sector16, NoName057(16), and the Cyber Army of Russia Reborn (CARR). American Water, the largest regulated water utility in the US serving over 14 million people across 14 states, detected a cyberattack in October 2024 that forced the company to disconnect customer portals and pause billing systems, though water quality and core operations remained intact.
Regulatory and Technical Responses Accelerating
Romania has been strengthening its cybersecurity regulatory framework, with Law no. 58/2023 establishing the legal and institutional framework for cybersecurity and cyber defense activities. The country has also transposed the EU’s NIS Directive through Law no. 362/2018, with DNSC playing a key role in ensuring compliance with NIS 2.0 requirements that EU member states were required to incorporate into national law by October 2024.
The attack underscores the challenges facing water utilities in defending against LOTL techniques. Unlike traditional malware that security tools can detect through signatures, attacks leveraging legitimate system utilities like BitLocker, PowerShell, or Windows Management Instrumentation blend with normal administrative operations. Industry research indicates that such techniques appear in approximately 84% of high-severity cyber incidents, making behavioral monitoring and strong identity management essential countermeasures.
Romanian Waters, a public institution under the coordination of the Ministry of Environment, Waters and Forests, manages the country’s national water infrastructure including reservoirs, flood protection dikes, canals, and hydrological monitoring systems. The agency’s structure includes eleven River Basin Administrations and the National Institute of Hydrology and Water Management. In 2025, the Romanian government allocated a record budget of 4.25 billion lei (approximately €850 million) to the agency, representing a 55% increase over the previous year, for dam safety, flood prevention, and water infrastructure modernization.
