In the early hours of December 20, Romania’s national water authority, Romanian Waters (Administrația Națională Apele Române), began grappling with a ransomware attack that would cripple much of its information technology backbone. By the time officials confirmed the breach, nearly 1,000 computer systems were affected, including workstations, email platforms and web servers across the agency’s sprawling national network.
The incident was disclosed by the National Cyber Security Directorate (DNSC), which oversees the protection of Romania’s critical digital infrastructure. Water management falls squarely within that category under Romania’s emergency laws, elevating the attack from a technical failure to a matter of national safety.
Romanian Waters’ official website went dark, forcing authorities to issue updates through social media and alternative channels. Internally, staff reverted to radios and telephones, maintaining essential operations while large parts of the agency’s digital systems remained inaccessible.
How the Attack Spread — and What It Touched
According to investigators, the ransomware spread rapidly from the agency’s central office to 10 of its 11 regional river basin administrations, disrupting operations in cities including Oradea, Cluj, Iași, Siret and Buzău. The attack disabled database and domain name servers, email systems, web services and Windows-based workstations.
Among the most significant losses were Geographic Information Systems used to map and monitor water resources — tools that underpin flood planning, river management and environmental oversight. Yet officials stressed that the most sensitive infrastructure, including dams, flood defenses and other operational technology, remained physically secure.
Those systems, often isolated from corporate networks, were kept running manually on site. “The core infrastructure is safe,” the DNSC said, emphasizing that operational continuity had been preserved despite the digital blackout.
Turning a Security Tool Into a Weapon
Early forensic analysis suggests the attackers employed an unusual tactic. Instead of deploying custom malware, they appear to have misused BitLocker, Microsoft’s built-in disk encryption tool, to lock systems and data. By weaponizing legitimate software, the attackers reduced the likelihood of immediate detection by traditional security defenses.
How the intruders initially accessed the network remains unclear. What is known is that they left behind a digital ransom note demanding contact within seven days. Romanian authorities, adhering to a standing policy, refused to negotiate.
“This is a principle decision,” the DNSC said, reiterating the government’s stance that paying or engaging with attackers risks funding further criminal activity. Technical teams from the Romanian Intelligence Service (SRI) and other state bodies were brought in to contain the damage and restore systems.
A Broader Warning for Water Infrastructure Worldwide
The attack has also exposed structural gaps. Romanian Waters was not yet integrated into the country’s centralized cyber defense framework managed by the National Cyberint Center (CNC) — a process now being accelerated.
Experts say the incident fits a global pattern. Water utilities increasingly rely on interconnected digital systems that blur the line between IT networks and operational technology. When breached, those systems can offer attackers pathways to manipulate physical processes.
Recent incidents abroad underscore the risk. In Norway earlier this year, attackers exploited weak credentials to remotely open a dam’s discharge valve for hours. In the United States and the United Kingdom, regulators have warned that outdated software, exposed control interfaces and poor network segmentation leave water facilities vulnerable to ransomware and sabotage.
In Romania, the damage from the December attack has so far remained digital. But the episode has sharpened awareness of how quickly a cyber incident can threaten essential public services — and how much depends on systems the public rarely sees, until they fail.
