The recent cyberattack on CONPET S.A., Romania’s state-owned oil pipeline operator, isn't just another ransomware statistic by any length of imagination. It is another example of a complex attack operating within the umbrella of a modern asymmetric warfare, where the "air gap" between an IT administrator’s personal life and a nation’s critical energy infrastructure was essentially bridged by a single infostealer infection.

In the last decade, we have all seen many "impenetrable" systems fall. However, the CONPET incident and its unmistakable connection to the systemic siege on Romanian critical infrastructure adds a new chapter in attack sophistication. It reveals a chilling evolution in the manner in which threat actors like Qilin AKA Agenda are moving from brute force to "authorized" entry. Qilin is a group that is known to bring stolen data into the market fairly rapidly. Which means that the data is already on its way out to potential buyers while the negotiations with the victim are on.  

Before we move forward, don’t forget to check out our previous blog post on “A deep dive into 2025's most devastating cyberattacks as per Tokio Marine HCC International,” here.

A bit about CONPET

CONPET SA is a Romanian state-owned pipeline company. It specializes in the transportation of crude oil, petroleum products, and ethane through a vast network of pipelines crisscrossing over 3,800 kilometers across Romania. The company plays a vital role in the country's energy security through its infrastructure. CONPET works to ensure the efficient and safe transport of economically essential resources. CONPET also has active tie-ups with major industry players such as Petrom OMV, Petrotel Lukoil, and Rompetrol Rafinare. The company was established as Ploieşti Oil Pipeline Transport Company (ITTC). It has since then undergone an extensive modernization process to finally called by its current brand name in the year 1991.

The breach timeline:

The breach didn't start on February 3, 2026, when the website went dark. It began weeks earlier in a setting far removed from a high-security server room.

• January 11, 2026: The "Patient Zero" is identified. An infostealer malware infects a personal computer (host name: DESKTOP-TCR5GQM) belonging to a CONPET IT administrator. The machine was allegedly used for a side electronics repair business (using the handle "GadgetFix").

• January 12, 2026: Threat intelligence monitors index the exfiltrated data. Over 268 credentials are harvested, including access keys for CONPET’s VPN, Cacti (Network Monitoring). This includes WSUS (Windows Server Update Services).

• January 12 – February 2, 2026: Dwell time. Qilin operators use the stolen VPN and WSUS credentials to map the network and credentials. In an OT environment, access to network monitoring tools like Cacti is roughly equivalent to having a blueprint of the nervous system.

• February 3, 2026: The hammer drops. Qilin deploys its Rust-based ransomware, encrypting corporate IT systems and exfiltrating approximately 1TB of sensitive data, including financial records, confidential company information including possibly pipeline schemas, vendor details and employee passport scans.

Threat actor profile: The Rise of Qilin (Agenda)

Qilin is a Russia-linked Ransomware-as-a-Service (RaaS) group that has rapidly ascended the "most-wanted" list in 2025 and 2026.

Why they are a Tier-1 threat to OT:

• The Rust edge: They have migrated their codebase completely from Go to Rust. This makes their binaries harder to reverse-engineer and highly performant, allowing for rapid encryption of high-volume data stores before EDR can intervene.

• Targeted customization: Unlike "spray-and-pray" actors, Qilin customizes binaries for each victim. They include a "kill switch" that checks system locales (avoiding CIS/Russia) and can specifically target or skip directories to ensure the most "painful" systems are hit.

• Incentivized Affiliates: With a payout structure of 80–85%, they attract highly skilled initial access brokers (IABs) and lateral movement specialists. They are also known to run recruitment campaigns to engage highly skilled talent for malware development

• Unwavering focus on enterprise victims: This threat actor has gained significant experience and expertise in targeting enterprise victims and selling their data. It is in infact among the top-two persistent threat actors that are getting away with successful attacks on large and well-known entities.

• State backing: Qilin is backed by the Russian state through its APT groups. The group receives some form of backing from the Russian GRU and its employees are protected by the Russian state.

• They also operate with the shortest targeting cycle
  
  

Qilin was also behind the Asahi Brewery Attack. Read the report here.

Technical deep dive: Weaponizing the "Management plane"

The most alarming technical aspect of the CONPET breach is the exploitation of WSUS (Windows Server Update Services).

In a standard Purdue Model architecture, we often focus on isolating Level 1 (field devices/controllers) from Level 4 (Corporate IT). However, the Management Plane (updates, monitoring, backups) often cuts across these levels. By compromising the WSUS server, Qilin gained a "trusted" platform to push malicious payloads to every Windows-based HMI (Human Machine Interface) and workstation in the corporate environment without arousing suspicion.

In summary, they didn't need to find a vulnerability in the pipeline's SCADA software. They just used the system's own mechanism (WSUS) to distribute the poison.

The big picture: The siege of Romania

The CONPET attack is certainly not an isolated incident. It is the latest node in a coordinated campaign against Romanian critical infrastructure that accelerated in late 2025. Romania is on the radar of Russian threat actors.

The Strategic Link: There is a clear pattern of targeting "Administrative Layers" of critical utilities. While the OT (SCADA) systems at CONPET and Romanian Waters remained functional (thanks to manual overrides and segmentation), the administrative end comprising billing, logistics, and internal communications was blinded.

In the energy sector, if you can’t bill for oil or communicate with dispatchers via ERP, the physical flow is eventually throttled by administrative paralysis, achieving the same result as a physical valve shutdown without the kinetic risk of a counter-strike.

The "So What?" for OT Leaders

The CONPET breach proves that threat actors are closely tracking and targeting critical infrastructure operators. The "Air Gap" is a myth when your IT admin is logging into critical infrastructure from a computer used for a side-hustle.

Key takeaways:

• Enforce MFA on everything: The lack of MFA on the VPN portal was the initial domino that fell.

• Hardening the management plane: WSUS, Cacti, and Veeam must be treated as "High-Impact OT Assets," even if they sit in the corporate VLAN.

• Third-Party/personal risk: Organizations must monitor the dark web for employee credential leaks before the dwell time turns into a deployment.

• Risk assessments: Conduct IEC 62443-based risk assessments frequently and remedy the gaps identified

Need help with your risk management and compliance requirements? Talk to our expert.

More about our NIS2 compliance services.

Learn a bit more about Shieldworkz’ Incident response services

Talk to a vacation security expert (yes we have a dedicated security pro who knows more about fine tuning your security measures during lean times).

Test drive our OT security platform here.

Downloadable assets:

OT cybersecurity for on-site maintenance checklist

Insider threat protection checklist

Cyber risk management checklist  

Strategic IEC 62443 checklist to protect your IACS operations

Conpet's website is still down at the time of publishing this blog