Romanian Waters Authority Suffers Major Ransomware Attack
The National Administration Romanian Waters (ANAR), the national water management authority in Romania, experienced a significant ransomware attack in February 2024. This cyber incident led to the compromise of over 1,000 IT systems, causing substantial disruption to the organization’s operations.
According to reports, the attack resulted in the encryption of critical data and the theft of sensitive information, including operational databases, hydrological records, and various internal documents. This widespread compromise affected multiple regional branches of ANAR, highlighting the scale and severity of the cyber breach.
Phobos Ransomware Identified, Killnet Claims Responsibility
Cybersecurity researchers have identified the Phobos ransomware variant as the tool used in the attack on ANAR’s systems. This attribution is based on technical evidence observed during the incident.
Separately, the pro-Russia hacktivist group Killnet publicly claimed responsibility for the ransomware attack on the Romanian Waters Authority. However, evidence gathered by cybersecurity experts points to the Phobos ransomware gang as the actual perpetrators behind the system compromise and data encryption.
Operational Data and Hydrological Databases Compromised
The attackers successfully breached and encrypted over 1,000 systems within ANAR’s network. The compromised data included vital operational information essential for water management, as well as extensive hydrological databases. These databases contain critical records related to water levels, flow rates, and other environmental data crucial for the country’s water infrastructure.
Beyond data encryption, the threat actors also exfiltrated a significant volume of data. They subsequently published a sample of this allegedly stolen data on a dark web portal, threatening to release more if their demands were not met. The attack impacted the public accessibility of ANAR’s website and affected operations in several regional water directorates, including Olt, Arges, Jiu, Siret, and Prut-Barlad.
ANAR’s Response and Refusal to Pay Ransom
In response to the attack, ANAR promptly initiated incident response protocols. The authority isolated the affected IT systems and disconnected them from the internet to prevent further spread of the ransomware. Cybersecurity experts were engaged to assist with forensic analysis and recovery efforts.
ANAR publicly stated its refusal to negotiate with the attackers or pay the demanded ransom. Instead, the organization focused on restoring its services using existing backups, a process that allowed some operational continuity despite the widespread impact. The refusal to pay aligns with advice from cybersecurity agencies worldwide, which caution against funding criminal enterprises.
The incident serves as a stark reminder of the persistent threats faced by critical infrastructure organizations from ransomware gangs and other malicious actors.