Romanian water authority, energy producer hit by cyber attacks in apparent coordinated holiday campaign - Industrial Cyber

Attacks and Vulnerabilities Control device security Critical infrastructure Industrial Cyber Attacks IT/OT Collaboration Malware, Phishing & Ransomware News Risk & Compliance Secure Remote Access Supply Chain Security Threat Landscape Utilities: Energy & Power, Water, Waste Romanian water authority, energy producer hit by cyber attacks in apparent coordinated holiday campaign January 05, 2026 Romanian critical infrastructure has come under sustained cyber attack over the holiday period, laying bare weaknesses across some of the country’s most essential services. On December 20, 2025, as Romania prepared for the winter holidays, attackers targeted Administrația Națională ‘Apele Române’ or Romanian Waters, the national authority responsible for managing the country’s water resources. However, the disruption did not end there. In the final days of the year, security teams at the Oltenia Energy Complex, Romania’s largest coal-based power producer, were scrambling to contain a major security breach. Taken together, the incidents point to more than coincidence. They mark two major hits on Romanian utility networks in a matter of weeks and suggest a deliberate, persistent campaign aimed at critical services during a period of reduced operational readiness. “On December 26, 2025, around 01:40, a ransomware-type computer attack, called ‘Gentlemen,’ was identified, which affected the IT business infrastructure of the Oltenia Energy Complex Society,” Oltenia Energy Complex, Romania’s largest coal-based energy producer, wrote in a Dec. 27 Facebook post. “Following the attack, some documents and files have been encrypted, and several computer applications have become temporarily unavailable, including ERP systems, document management applications, email service and the company website. The company’s activity was partially affected, without endangering the functioning of the National Energy System.” Immediately after finding the incident, Oltenia Energy Complex added that the affected systems were isolated, and the situation was reported to the National Directorate of Cyber Security, the Ministry of Energy and other competent authorities. Also, the management of the company filed a criminal complaint with DIICOT – Territorial Office Gorj, regarding the offenses of illegal access to a computer system and altering the integrity of computer data. “From the moment of identifying the attack, the IT specialists of the Oltenia Energy Complex have started the process of rebuilding the systems on a new infrastructure, using the existing safety copies,” the post disclosed. “Currently, the exact extent of the incident, as well as the existence of a possible data leak, are being analyzed.” The Oltenia Energy Complex is cooperating with the competent authorities and making all the necessary efforts to complete the restoration of computer systems as soon as possible. Industrial cybersecurity firm Dragos disclosed in December that the Gentlemen group was one of the third quarter’s fastest-growing emerging operations. Of its 39 claimed victims, 16 were industrial organizations, an unusually high concentration for a recently surfaced non-RaaS group. Gentlemen operated as a tightly controlled, non-affiliate team and relied on compromised credentials, Group Policy modification, the termination of security and backup services, and encrypted exfiltration using tools such as WinSCP before deploying its encryptor. Its frequent leak-site publications created sustained pressure on victims despite its relatively small operational footprint. Prayukth K V, director for the EU region at Shieldworkz, recognized that the timing for the Oltenia Energy Complex attack was no coincidence, but instead it was a tactical strike that came during the Christmas break, when staffing is lean and reaction times are often delayed. He pointed out that the impact was almost immediate. Core systems, including enterprise resource planning platforms, document management tools, email services, and the company’s official website, were encrypted and taken offline. “While the National Energy System (SEN) remained stable, the administrative and logistical backbone of a company that provides 30 percent of Romania’s electricity was paralyzed.” While the attack has been attributed to the ‘Gentlemen’ group, which first surfaced in August 2025 and is known for exploiting internet-exposed services and compromised credentials, Prayukth observes that “Unlike ‘smash-and-grab’ actors, they often conduct reconnaissance to ensure they hit the ERP layer, which is essentially the ‘brain’ of corporate operations.” The common tactics employed by the Gentlemen hackers during the early stages include documenting accessible infrastructure parts from the web (such as open ports); gathering breached data records to create a vulnerability profile of the potential victim, identifying a window for launching the attack and/or deploying the ransomware, and data exfiltration.  Against a backdrop of similar attacks on water authorities in Canada, the U.K., and the U.S., Romania’s National Cyber Security Directorate has confirmed a major ransomware attack on the country’s water management agency. The incident compromised around 1,000 systems, underscoring persistent concerns about cyber threats to critical water infrastructure. Remediation efforts are ongoing. Administrația Națională Apele Române (Romanian Waters) reported that its servers, workstations, email, web servers, and domain name servers have all been affected. The agency’s website is offline, with official updates shared via alternative sources. The attackers encrypted files and left ransom notes demanding negotiations within seven days. While the attack is being classified as ransomware, the DNSC noted that the use of Windows’ BitLocker tool suggests it may not be the work of a known ransomware group. Prayukth mentioned that “While the CEO attack used a dedicated and possibly a new strain of the ‘Gentlemen’ ransomware, the water authority attack was more ‘living off the land,’ weaponizing Windows BitLocker to lock out employees.”  The two attacks are as different as chalk and cheese, but despite the different tools and methods, the strategic link is undeniable. In both cases, the attackers struck the administrative IT layers that support Romania’s national energy and water systems, rather than operational technology itself. Timing also played a role. Each incident unfolded in late December, taking advantage of the reduced vigilance that often accompanies the end-of-year holiday period. There is also a deeper infrastructure link. Apele Române oversees dams and water flows that the Oltenia Energy Complex and other power producers depend on for cooling and hydropower. By compromising the water authority first, the attackers appear to have mapped critical dependencies within Romania’s power grid before moving on to a major energy provider. Anna Ribeiro Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT. Related ESET reports 78% of UK manufacturers face cyber incidents as disruption becomes widespread Hitachi Digital Services boosts OT-IT integration with Manufacturing Operations Management platform Dragos appoints Kaori Nieda as country manager to push market expansion in Japan Australia consults industry on reforms that would give authorities faster powers during critical infrastructure attacks Health-ISAC flags gaps in cyber resilience and incident response, calls for incident coordination and information sharing Iranian hackers target US critical infrastructure through ransomware proxies, KELA warns APT groups and ransomware gangs are turning Singapore into prime cyber target, Cyfirma report finds Radiflow and DEFENDERBOX join forces to enhance OT threat detection without disrupting operations Accenture unveils Cyber.AI platform powered by Anthropic’s Claude to transform security operations Atos launches threat research center to advance AI-driven cyber threat intelligence, boost cyber resilience