Cyber attack on several workstations and servers belonging to “Romanian Waters”. Which basin administrations are affected
Ransomware attack, Photo: Nawadoln Siributr / Alamy / Profimedia Images
A ransomware-type cyberattack took place on several workstations and servers belonging to the Romanian National Water Administration (ANAR) and a number of 10 water basin administrations in the country, including Oradea, Cluj, Iasi, Siret, Buzau, announces Apele Romanian Waters, which specifies that a ransom note has been sent from the attackers, who request to be contacted within 7 days. The company reminds that DNSC's policy and strict recommendation is that victims of ransomware attacks do not contact and negotiate with cyber attackers, in order not to encourage and finance this criminal phenomenon.
“The National Directorate of Cyber Security (DNSC) was notified on December 20, 2025 regarding a ransomware-type cyber attack on several workstations and servers belonging to the Romanian National Water Administration and a number of 10 (out of 11) water basin administrations in the country, including Oradea, Cluj, Iasi, Siret, Buzau. Due to this cyber incident, approximately 1,000 IT&C systems were compromised, including Geographical Information System (GIS) application servers, database servers, Windows workstations, Windows Server servers, e-mail/web servers and Domain Name Servers (DNS),” announced Apele Române in an official statement quoted by News.ro.
The company also announces that the operational technologies (OT – Operational Technologies) were not affected, so that the usual activity is carried out at this moment in normal parameters.
“The Romanian Waters National Administration specifies that the operation of hydrotechnical structures is done only by dispatchers using voice communications. The hydrotechnical constructions are safe and are operated locally by the staff on duty and coordinated by dispatchers,” the statement also states.
Currently, the technical teams of the Directorate, of the Romanian National Water Administration, of the National Cyberint Center (CNC) of the Romanian Intelligence Service (SRI), of the affected entities and of other state authorities with competences in the area of cyber security, are actively involved in investigating and limiting the impact of the cyber incident.
The “Romanian Waters” infrastructure is not protected by the national protection system
“The infrastructure of the Romanian National Water Administration is not currently protected by the national system for the protection of IT&C infrastructures critical to national security against threats from cyberspace, a system operated by CNC. The necessary steps have been initiated so that this infrastructure is integrated into the systems developed by CNC to ensure cyber protection for both public and private IT&C infrastructures critical to security national, through the use of intelligent technologies. Following an initial technical assessment, it was found that the attackers used a legitimate encryption mechanism for the Windows operating system, called 'BitLocker', which was used for malicious purposes, to produce the encryption lock of the files on that system,” the company says.
At this point, a ransom note was sent from the attackers, who request to be contacted within seven days.
“We remind you that DNSC's policy and strict recommendation is that victims of ransomware attacks do not contact and negotiate with cyber attackers, in order not to encourage and finance this criminal phenomenon. We recommend that the IT&C teams of ANAR or the basin administrations not be contacted, so that they can focus on restoring IT services!”, mentions Apele Române.
