On December 20, 2025, as Romania prepared for the winter holidays, a silent digital siege was launched against one of the nation’s most vital pillars: Administrația Națională "Apele Române" or Romanian Waters.

While citizens initially only saw an offline website and missing emails, the reality was a high-stakes ransomware incident that paralyzed over 1,000 IT systems across the country. Here is an investigative breakdown of the "BitLocker Breach". This is an attack that highlights a chilling evolution in how hackers are turning built-in security tools against the state.

This attack should also be viewed in light of similar attacks on critical infrastructure in France. The pattern is the same target a public facing critical infrastructure entity and turn it offline for an extended period of time to stall recovery and to ensure the media picks up the incident. Romanian Waters website is still inaccessible at the time of writing this blog post.

Before we move forward, don’t forget to check out our previous blog on “Why Pro-Russian hackers targeted France’s La Poste” here.   

The breach: A weekend shutdown

Romanian Waters (Administrația Națională Apele Române), is the country's apex water management authority. As per the website of Romanian Waters, The National Administration “Romanian Waters” administers the waters in the public domain of the state and the infrastructure of the National Water Management System consisting of reservoirs, flood defense dikes, canals, inter-basin derivations, water intakes and other specific works, as well associated management infrastructure.

The incident began on Saturday, December 20. By the time the National Directorate for Cyber Security (DNSC) was notified, the damage was widespread. The attack didn't just hit the central headquarters in Bucharest; it rippled through 10 of Romania's 11 regional water basin administrations, including key hubs in Oradea, Cluj, Iași, Siret, and Buzău.

The impact at a Glance:

• Systems compromised: Approximately 1,000 IT assets.

• Affected infrastructure: GIS (Geographic Information System) servers, databases, web and email servers, and Domain Name Servers (DNS).

• The ultimatum: A ransom note demanding contact within a week

The weapon of choice: "Living off the Land"

The most striking discovery made by investigators from the DNSC and the National Cyberint Center (CNC) was the absence of conventional ransomware. Instead, the attackers used Microsoft BitLocker to lock files on the compromised systems.

BitLocker, as many of you are aware, is a legitimate Windows feature designed to protect data through encryption. By gaining administrative privileges, the attackers essentially "locked the front door and threw away the key," using the agency’s own security software to hold their data hostage. This particular approach reminds one of the line that Jeff Goldblum’s character mouthed in the alien invasion classic Independence Day. “They are using our systems against us.” That’s what David Levinson, an MIT-educated satellite engineer and technological expert says when he finds out that the aliens have encrypted a signal pattern into our own satellites in order to help coordinate their ships and their attack times.

Levinson, in fact, swiftly decodes the encryption and uses a simple calculation to figure out the time remaining for the aliens to launch a coordinated attack on key critical infrastructures on earth. It is this very decryption that possibly helped the satellite engineer to compile a custom malware later on in the movie. He uses this malware to infiltrate and shutdown the alien mothership and other crafts participating in the attack on earth. That was one close shave for mankind as per Roland Emmerich and the makers of the first instalment of Independence Day.    

Apologies for the digression. Now let’s dive right back into the incident.  

This "living-off-the-land" (LotL) tactic is notoriously difficult for traditional antivirus software to detect because the tool used is natively trusted by the operating system and the extended services could be morphed within legitimate services to keep the anomalous activities hidden.

Resilience: Why the taps kept running

In most attacks on critical infrastructure, the nightmare scenario is the loss of Operational Technology (OT). This includes the systems that physically control dams, sluice gates, and water pressure.

The good news: Romanian Waters successfully had possibly segmented their IT (administrative) and OT (operational) networks rendering the latter safe. While the "digital brain" was scrambled, the "physical hands" remained functional and steady.

• Manual override: Dispatchers immediately reverted to telephone and radio communications.

• Local control: Personnel at hydrotechnical sites managed structures manually, ensuring that flood defenses and water supplies remained operational throughout the crisis.

A possible missing shield

Perhaps the most significant revelation from the investigation is that Romanian Waters was not previously integrated in any manner into the national cyber protection system for critical infrastructure.

The National Cyberint Center (part of the SRI) manages a sophisticated defense umbrella for both public and private entities of national importance. This incident has exposed a gap of some sort: one of the country's most critical utility managers was essentially sitting outside the fort.

In light of the incident, DNSC has initiated the necessary steps to integrate this infrastructure into the systems developed by the CNC to ensure cyber protection for both public and private IT&C infrastructures with critical significance for national security, through the use of intelligent technologies. This is as per an updated note released by the DNSC.

The current status:

• No Negotiation: Following DNSC policy, authorities have refused to contact the hackers in any manner.

• Integration: Procedures are now being fast-tracked to pull the water infrastructure under the national cyber-defense shield.

• Attribution: While no group has claimed credit, the timing and methodology mirror recent activity from pro-Russian hacktivist groups (such as Z-Pentest or NoName057) that have targeted European utilities throughout 2024 and 2025.

As per DNSC, currently, the situation is under control, and the essential activities of ANAR continue without affecting the monitoring of water resources or the operation of the hydrotechnical infrastructure.

The main measures that are being implemented are as follows:

·  The restoration of user accounts has been completed. This allows the resumption of secure access of employees to the IT systems necessary for the current activity.

· The email service is in the process of being rebooted and is stabilizing. Technical teams are working to fully restore operations for all users in the shortest time possible.

· In order to ensure the continuity of critical monitoring and coordination activities, the dispatching application that is essential for surveillance of hydrological situations has been relocated and put into operation in a secure IT environment.  

· In parallel, technical works are ongoing for the reinstatement of the financial application. It’s availability for citizens will be publicly communicated in the coming days

· Also, work is underway to restore and secure the website www.rowater.ro, so that it can be restored to full functionality. The site is still down.

The verdict: A wake-up call for 2026

The Romanian Waters incident can indeed be considered as a masterclass in modern asymmetric warfare. The attackers didn't need custom code; they needed only a single foothold to weaponize the system’s own encryption.

For the cybersecurity community, this is a reminder that "zero trust" isn't just a buzzword—it's a necessity. When your own security tools can be turned into a cage, the perimeter is no longer enough.

Interested in a custom briefing on specific security measures to segment your OT network Talk to our expert.

Test drive our NDR solution for OT security, here.

For everything else, let us know here.