The last few days of 2025 have proven to be anything but peaceful for Romania’s critical infrastructure. While most were in holiday mood, looking to spend time with families, security teams were scrambling to contain a major security breach at the Oltenia Energy Complex that is the country’s largest coal-based energy producer.

This certainly wasn’t an isolated incident by any stretch of imagination. It was the second major blow to Romanian utility networks in just a matter of weeks. When viewed together, this signals a sophisticated, persistent and targeted campaign against the Romania’s essential services at a critical time.

The background

The Oltenia Energy Complex is a network of coal mines and power plants, operated by Complexul Energetic Oltenia S.A. (CEO), across Gorj, Vâlce, and Mehedinţi counties in Romania. These counties are part of the historical region of Oltenia that blends heritage and scenic beauty to offer a unique treat for visitors.  

The Oltenia Energy Complex was established in 2012 by integrating Societatea Naţionala a Lignitului Oltenia with Energy Complexes Turceni, Rovinari and Craiova. As per a Euracoal report published in early 2024, reserves of lignite are concentrated in a relatively small area of 250 square kilometres. This is where lignite is mined at ten surface mines.

The Assault on CEO: The "Gentlemen" Move In

On December 26, 2025, at approximately 01:40 AM (regional time), a ransomware group calling itself "Gentlemen" launched a coordinated strike against CEO’s business IT infrastructure. The timing was no coincidence but instead it was a tactical strike that came during the Christmas break when staffing is lean and reaction times are often delayed.

The impact was near immediate:

• Systems go down: ERP (Enterprise Resource Planning), document management, email services, and the official website were encrypted and taken offline.

• Operations: While the National Energy System (SEN) remained stable, the administrative and logistical backbone of a company that provides 30 percent of Romania’s electricity was paralyzed.

• The Actor: The "Gentlemen" group, that first emerged in August 2025, is known for exploiting internet-exposed services and compromised credentials. Unlike "smash-and-grab" actors, they often conduct reconnaissance to ensure they hit the ERP layer which is essentially the "brain" of corporate operations.

Connecting the Dots: The "Romanian Waters" Precursor

To understand the gravity (and context) of the CEO attack, we must look back just six days to December 20, 2025. The national water management authority, Administrația Națională "Apele Române", suffered a massive ransomware event that compromised nearly 1,000 IT systems across 10 of its 11 regional offices. We have covered that attack in detail here.

The Investigative Link

While the CEO attack used a dedicated and possibly a new strain of the "Gentlemen" ransomware, the water authority attack was more "living off the land," weaponizing Windows BitLocker to lock out employees. The two attacks are as different as chalk and cheese but despite the different tools and methods, the strategic link is undeniable:

• Systemic Targeting: Both attacks targeted the administrative IT layers of entities that underpin the National Energy and Water systems.

• The "Holiday Gap": Both occurred in late December, exploiting the decreased vigilance of the end-of-year period.

• Hydro-Energy Interdependency: "Apele Române" manages the dams and water flows that CEO and other energy providers rely on for cooling and hydro-power. By hitting the water management first, the threat actors effectively mapped the dependencies of the Romanian grid before moving on to the energy giant itself.

• Both attacks targeted Romania

Investigating the attack

The group behind the attack “The Gentlemen” is a relatively new entrant that has significantly matured over the last few years. Unlike traditional threat actors that often indulge in hit and run tactics, this group is known to conduct reconnaissance operations spread across months. The three common tactics employed by The Gentlemen during the early stages include:

·       Documenting all accessible infrastructure parts from the web (such as open ports)

·       Gathering breached data records to create a vulnerability profile of the potential victim

·       Identifying a window for launching the attack and/or deploying the ransomware

·       Data exfiltration

In the month of November, the group could have started probing exposed services (using advanced IP scanner) connected to CEO’s operations. Once the services were detected the group sourced previously leaked credentials from other breaches. For instances, our team was able to locate two such credentials. One belonged to an employee from the operations team (the credentials were breached in 2021 during the Nitro PDF breach incident). Another set of credentials linked to a commonly used email ID was found in a leak connected with Bureau van Dijk's (BvD) "Orbis" product.

Once the bad actor was able to gain access, it mapped various segments of the infrastructure and connected networks along with system usage patterns. In parallel, the actors also shut down several anti virus software by abusing multiple Windows drivers to terminate protected processes. We feel this exercise should have been completed towards the end of second week of December 2025.From then onwards it was just a waiting game as The Gentlemen waited for the lean season to arrive to deploy the ransomware.      

Cybersecurity lessons for 2026: The reality of critical infrastructure

As we head into 2026, the "Old Guard" mentality of security which involved relying on the air-gapping of Operational Technology (OT) has been rendered archaic. These attacks prove that you don't need to touch a turbine to stop a power plant; you just need to encrypt the ERP system that manages its supply chain and personnel.

Critical lessons for operators:

• The ERP is the new perimeter: Modern OT relies on IT for logistics. If your IT is down, your OT eventually starves.

• Immutable backups are non-negotiable: CEO was able to begin rebuilding on a new infrastructure because they had viable backups. Without these, they would be at the mercy of the "Gentlemen" negotiators.

• Credential hygiene: Both attacks likely started with a single set of stolen credentials. Multi-Factor Authentication (MFA) must be enforced not just on email, but on every internal service.

• Sensitize employees: They need to know about the sophistication levels of threat actors such as The Gentlemen

The NIS2 imperative and the OT threat landscape

The implementation of the NIS2 Directive is no longer a "future requirement"—it is the baseline for survival in 2026. These incidents underscore two major pillars of the directive:

Mandatory security and risk assessments for OT

Historically, OT systems (the hardware that actually moves water and generates power) were ignored in risk assessments because they were "disconnected." As seen in the water authority attack, even when OT remains functional, the loss of IT-based communication (radio/phone fallbacks) creates a dangerous operational fog. 2026 requires continuous OT monitoring to detect lateral movement from IT networks before the "kill chain" reaches physical assets.

Supply chain and sectoral resilience

NIS2 mandates that entities look beyond their own walls. The link between "Apele Române" and CEO highlights that a vulnerability in water management is a vulnerability in energy production. Operators must perform joint threat assessments with their upstream and downstream partners.

The 2026 OT Incident Response checklist

For critical infrastructure operators, the margin for error has all but vanished. You can use this basic incident response checklist to audit your readiness for the 2026 threat landscape:

Preparation and visibility

• [ ] Passive asset discovery: Do you have a tested real-time, automated inventory of every PLC, HMI, and gateway on your OT network? (Active scanning can crash legacy OT; use passive monitoring using Shieldworkz).

• [ ] The "Logic" backup: Do you have offline, immutable backups of not just your data, but your PLC logic and configurations?

• [ ] Network enclaves: Are your IT and OT networks separated by a "DMZ" with strict protocol-level filtering (e.g., allow only Modbus or OPC-UA traffic)?

• [ ] Has someone checked the Dark Web and other sites and forums to see if any enterprise or employee data has been compromised? If so, have we taken any measures to additionally secure the impacted data or system?

Detection and reporting (NIS2 Compliance)

• [ ] The 24-Hour trigger: Is there a clear workflow to notify the national CSIRT within 24 hours of an "early warning" event?

• [ ] Behavioral baselining: Can your systems detect a "Gentlemen"-style actor moving laterally, or do you only notice when the encryption starts?

• [ ] Supply chain audit: Have you audited the remote access tools used by your third-party maintenance vendors?

Response and manual resilience

• [ ] Tabletop "Black Start" Drills: Have you run a simulation where the IT network is 100% dark? Can your engineers still operate the physical plant manually?

• [ ] Out-of-Band Communication: Do you have a satellite or encrypted mobile communication plan that does not rely on the corporate email/VOIP server?

• [ ] Evidence Preservation: Does your IR plan include a "Forensics First" step to capture volatile memory before rebooting infected OT workstations?

A more detailed IR template is available here.

The "Gentlemen" may claim to be sophisticated, but they are also opportunistic, tactic aware and patient. They prey on multiple security gaps that exist among critical infrastructure operators everywhere. Romania’s 2025 winter crisis is a loud wake-up call for the rest of Europe: compliance with NIS2 is the floor (or baseline), not the ceiling.

Lastly, new rule. The threat actors are certainly not on vacation this year. So it is essentially to ramp up your guard as well.

Learn a bit more about Shieldworkz’ Incident response services

Talk to a vacation security expert (yes we have a dedicated security pro who knows more about fine tuning your security measures during lean times).

Test drive our OT security platform here.