Romania’s cybersecurity agency confirms a major ransomware attack on the country’s water management administration has compromised around 1,000 systems, with work to remediate them still ongoing.
Administrația Națională Apele Române (Romanian Waters) says its geographical information system applications servers, database servers, Windows workstations, Windows Servers, email and web servers, and domain name servers are all affected.
Its website remains offline, so official information is being disseminated via alternative sources.
Romanian Waters oversees the country’s water infrastructure, including dams, waterways, drinking water supplies, and monitoring systems.
The attack, which began on December 20, also spread to ten of the country’s 11 river basin management organizations, the Romanian National Cyber Security Directorate (DNSC) said.
While around 1,000 systems are being investigated, Romanian Waters’ operational capabilities were not affected. The DNSC confirmed that hydrotechnical operations were continuing as normal and are being operated locally by on-site staff.
The attack is being described as ransomware, but authorities did not specify what group was behind it, although they did confirm that files were encrypted, and the attackers left ransom notes demanding that Romanian Waters begins negotiations within seven days.
However, the DNSC said that the attackers exploited Windows’ BitLocker to encrypt its files, suggesting the attack might not be the work of a miscreant using a known ransomware group’s payload.
“We reiterate that DNSC’s strict policy and recommendation towards all victims of ransomware attacks is to neither contact nor negotiate with cyberattackers, to avoid encouraging or financing the cybercrime phenomenon,” the agency stated.
“We recommend avoiding contacting the IT&C teams of the National Administration ‘Romanian Waters’ or ones of the river basin administrations, so they can focus on restoring the impacted IT services.
“We will provide further details as soon as additional information becomes available.”
Romanian Waters’ network was not protected by Romania’s system for safeguarding critical national infrastructure.
Similar to the UK NCSC’s Early Warning service, Romania’s equivalent sees CNI systems’ traffic running through it, with monitoring tools established to detect anomalous activity and stop attacks before they become disruptive.
The DNSC said that this won’t be the case forever, and steps to integrate Romanian Waters’ network into this system are underway.
“The necessary steps have started to integrate this infrastructure into the systems developed by CNC to ensure cyber protection for both public and private IT&C infrastructures of critical importance to national security, using intelligent technologies.”
The attack on Romanian Waters is the latest in a long line of similar incidents affecting Western equivalents.
As providers of safe drinking water to vast populations, the threat of cyberattacks to water administrations is an acute concern for national security agencies.
Hacktivists broke into Canada’s systems for managing water, energy, and farming back in October, for example, accessing controls that could have led to disastrous consequences.
The UK and US have also previously issued their respective warnings about similar scenarios after observing attacks on their water authorities. ®