{"id":174539,"date":"2026-01-05T05:02:00","date_gmt":"2026-01-05T10:02:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/01\/05\/romanian-water-authority-energy-producer-hit-by-cyber-attacks-in-apparent-coordinated-holiday-campaign\/"},"modified":"2026-01-05T05:10:08","modified_gmt":"2026-01-05T10:10:08","slug":"romanian-water-authority-energy-producer-hit-by-cyber-attacks-in-apparent-coordinated-holiday-campaign","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/01\/05\/romanian-water-authority-energy-producer-hit-by-cyber-attacks-in-apparent-coordinated-holiday-campaign\/","title":{"rendered":"Romanian water authority, energy producer hit by cyber attacks in apparent coordinated holiday campaign"},"content":{"rendered":"<p><a href=\"https:\/\/industrialcyber.co\/critical-infrastructure\/romanian-water-authority-energy-producer-hit-by-cyber-attacks-in-apparent-coordinated-holiday-campaign\/\">Romanian water authority, energy producer hit by cyber attacks in apparent coordinated holiday campaign<\/a><\/p>\n<p><a href=\"https:\/\/industrialcyber.co\/critical-infrastructure\/romanian-water-authority-energy-producer-hit-by-cyber-attacks-in-apparent-coordinated-holiday-campaign\/\">https:\/\/industrialcyber.co\/critical-infrastructure\/romanian-water-authority-energy-producer-hit-by-cyber-attacks-in-apparent-coordinated-holiday-campaign\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-01-05 05:02:00<\/a><\/p>\n<p>Source Domain: <a href=\"industrialcyber.co\">industrialcyber.co<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n<p>Romanian critical infrastructure has come under sustained cyber attack over the holiday period, laying bare weaknesses across some of the country\u2019s most essential services. On December 20, 2025, as Romania prepared for the winter holidays, attackers targeted Administra\u021bia Na\u021bional\u0103 \u2018Apele Rom\u00e2ne\u2019 or Romanian Waters, the national authority responsible for managing the country\u2019s water resources. However, the disruption did not end there. In the final days of the year, security teams at the Oltenia Energy Complex, Romania\u2019s largest coal-based power producer, were scrambling to contain a major security breach.<\/p>\n<p>Taken together, the incidents point to more than coincidence. They mark two major hits on Romanian utility networks in a matter of weeks and suggest a deliberate, persistent campaign aimed at critical services during a period of reduced operational readiness.<\/p>\n<p>\u201cOn December 26, 2025, around 01:40, a ransomware-type computer attack, called \u2018Gentlemen,\u2019 was identified, which affected the IT business infrastructure of the Oltenia Energy Complex Society,\u201d Oltenia Energy Complex, Romania\u2019s largest coal-based energy producer, wrote in a Dec. 27 Facebook post. \u201cFollowing the attack, some documents and files have been encrypted, and several computer applications have become temporarily unavailable, including ERP systems, document management applications, email service and the company website. The company\u2019s activity was partially affected, without endangering the functioning of the National Energy System.\u201d<\/p>\n<p>Immediately after finding the incident, Oltenia Energy Complex added that the affected systems were isolated, and the situation was reported to the National Directorate of Cyber Security, the Ministry of Energy and other competent authorities. Also, the management of the company filed a criminal complaint with DIICOT \u2013 Territorial Office Gorj, regarding the offenses of illegal access to a computer system and altering the integrity of computer data.<\/p>\n<p>\u201cFrom the moment of identifying the attack, the IT specialists of the Oltenia Energy Complex have started the process of rebuilding the systems on a new infrastructure, using the existing safety copies,\u201d the post disclosed. \u201cCurrently, the exact extent of the incident, as well as the existence of a possible data leak, are being analyzed.\u201d<\/p>\n<p>The Oltenia Energy Complex is cooperating with the competent authorities and making all the necessary efforts to complete the restoration of computer systems as soon as possible.<\/p>\n<p>Industrial cybersecurity firm Dragos disclosed in December that the Gentlemen group was one of the third quarter\u2019s fastest-growing emerging operations. Of its 39 claimed victims, 16 were industrial organizations, an unusually high concentration for a recently surfaced non-RaaS group. Gentlemen operated as a tightly controlled, non-affiliate team and relied on compromised credentials, Group Policy modification, the termination of security and backup services, and encrypted exfiltration using tools such as WinSCP before deploying its encryptor. Its frequent leak-site publications created sustained pressure on victims despite its relatively small operational footprint.<\/p>\n<p>Prayukth K V, director for the EU region at Shieldworkz, recognized that the timing for the Oltenia Energy Complex attack was no coincidence, but instead it was a tactical strike that came during the Christmas break, when staffing is lean and reaction times are often delayed.<\/p>\n<p>He pointed out that the impact was almost immediate. Core systems, including enterprise resource planning platforms, document management tools, email services, and the company\u2019s official website, were encrypted and taken offline. \u201cWhile the National Energy System (SEN) remained stable, the administrative and logistical backbone of a company that provides 30 percent of Romania\u2019s electricity was paralyzed.\u201d<\/p>\n<p>While the attack has been attributed to the \u2018Gentlemen\u2019 group, which first surfaced in August 2025 and is known for exploiting internet-exposed services and compromised credentials, Prayukth observes that \u201cUnlike \u2018smash-and-grab\u2019 actors, they often conduct reconnaissance to ensure they hit the ERP layer, which is essentially the \u2018brain\u2019 of corporate operations.\u201d<\/p>\n<p>The common tactics employed by the Gentlemen hackers during the early stages include documenting accessible infrastructure parts from the web (such as open ports); gathering breached data records to create a vulnerability profile of the potential victim, identifying a window for launching the attack and\/or deploying the ransomware, and data exfiltration.\u00a0<\/p>\n<p>Against a backdrop of similar attacks on water authorities in Canada, the U.K., and the U.S., Romania\u2019s National Cyber Security Directorate has confirmed a major ransomware attack on the country\u2019s water management agency. The incident compromised around 1,000 systems, underscoring persistent concerns about cyber threats to critical water infrastructure. Remediation efforts are ongoing.<\/p>\n<p>Administra\u021bia Na\u021bional\u0103 Apele Rom\u00e2ne (Romanian Waters) reported that its servers, workstations, email, web servers, and domain name servers have all been affected. The agency\u2019s website is offline, with official updates shared via alternative sources. The attackers encrypted files and left ransom notes demanding negotiations within seven days. While the attack is being classified as ransomware, the DNSC noted that the use of Windows\u2019 BitLocker tool suggests it may not be the work of a known ransomware group.<\/p>\n<p>Prayukth mentioned that \u201cWhile the CEO attack used a dedicated and possibly a new strain of the \u2018Gentlemen\u2019 ransomware, the water authority attack was more \u2018living off the land,\u2019 weaponizing Windows BitLocker to lock out employees.\u201d\u00a0<\/p>\n<p>The two attacks are as different as chalk and cheese, but despite the different tools and methods, the strategic link is undeniable. In both cases, the attackers struck the administrative IT layers that support Romania\u2019s national energy and water systems, rather than operational technology itself.<\/p>\n<p>Timing also played a role. Each incident unfolded in late December, taking advantage of the reduced vigilance that often accompanies the end-of-year holiday period.<\/p>\n<p>There is also a deeper infrastructure link. Apele Rom\u00e2ne oversees dams and water flows that the Oltenia Energy Complex and other power producers depend on for cooling and hydropower. By compromising the water authority first, the attackers appear to have mapped critical dependencies within Romania\u2019s power grid before moving on to a major energy provider.<\/p>\n<p>\t\t\t\t\tAnna Ribeiro\t\t\t\t<\/p>\n<p>\t\t\t\t\tIndustrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.\t\t\t\t<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Romanian water authority, energy producer hit by cyber attacks in apparent coordinated holiday campaign https:\/\/industrialcyber.co\/critical-infrastructure\/romanian-water-authority-energy-producer-hit-by-cyber-attacks-in-apparent-coordinated-holiday-campaign\/&#8230;<\/p>\n","protected":false},"author":1,"featured_media":174540,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/industrialcyber.co\/wp-content\/uploads\/2026\/01\/2026.01.05-Romanian-water-authority-energy-producer-hit-by-cyber-attacks-in-apparent-coordinated-holiday-campaign.webp","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[30,24,27],"class_list":["post-174539","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-breach","tag-cybersecurity","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/174539"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=174539"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/174539\/revisions"}],"predecessor-version":[{"id":174541,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/174539\/revisions\/174541"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/174540"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=174539"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=174539"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=174539"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}