PRESS RELEASE Bucharest, December 21, 2025 - ransomware cyber attack on several workstations and servers belonging to the National Administration "Romanian Waters" and a number of 10 (out of 11) water basin administrations in the country, including Oradea, Cluj, Iași, Siret, Buzău.

Cyber ​​incident update 

‼️The National Administration "Romanian Waters" informs that the investigation of the ransomware cyber incident, notified to the National Directorate of Cyber ​​Security - DNSC on December 20, is still ongoing.

The technical teams involved in the investigation, along with the competent authorities responsible, continue to work to limit the impact and restore the IT systems.

📲The dispatching activity and the operation of hydrotechnical structures are carried out within normal parameters, using telephone and radio communications. The hydrotechnical structures are safe and are operated locally by the on-duty personnel, coordinated through dispatching.

Forecasting activity and flood defense were not affected.

The investigation is ongoing and, at this time, it is not known exactly how the attackers penetrated the network.

Operational technologies (OT) were not affected.

There is no impact on the essential activities of the National Administration "Romanian Waters".

With the support of the competent responsible state authorities, an action plan was adopted to restore the IT systems.

The National Administration "Romanian Waters" reiterates that the investigation is ongoing and we will return with additional information as it can be publicly communicated, to avoid confusion and to ensure the security of information processes.

PRESS RELEASE

Bucharest, December 21, 2025

The National Directorate of Cyber ​​Security - DNSC was notified on December 20, 2025, of a ransomware cyber attack on several workstations and servers belonging to the National Administration "Romanian Waters" and a number of 10 (out of 11) water basin administrations in the country, including Oradea, Cluj, Iași, Siret, Buzău. 

Due to this cyber incident, approximately 1,000 IT&C systems were compromised, including Geographical Information System (GIS) application servers, database servers, Windows workstations, Windows Server servers, email/web servers, and Domain Name Servers (DNS).

Operational Technologies (OT) were not affected, so the usual activity is currently carried out within normal parameters. The National Administration "Romanian Waters" specifies that the operation of hydrotechnical structures is done only through dispatches using voice communications. The hydrotechnical constructions are safe and are operated locally by the on-duty personnel and coordinated through dispatches.

Currently, the technical teams within the Directorate, the National Administration "Romanian Waters", the National Cyberint Center (CNC) within the Romanian Intelligence Service (SRI), the affected entities and other state authorities with competences in the area of ​​cybersecurity, are actively involved in investigating and limiting the impact of the cyber incident.

The infrastructure of the National Administration "Romanian Waters" is currently not protected by the national system for the protection of IT&C infrastructures with critical values ​​for national security against threats originating from cyberspace, a system operated by CNC. The necessary steps have been initiated so that this infrastructure is integrated into the systems developed by CNC to ensure cyber protection for both public and private IT&C infrastructures with critical values ​​for national security, through the use of intelligent technologies.

Following an initial technical assessment, it was found that the attackers used a legitimate encryption mechanism for the Windows operating system, called "BitLocker", which was used for malicious purposes to produce an encryption lock on the files on the respective system.

At this time, a ransom note was sent from the attackers, requesting to be contacted within 7 days. We remind you that the policy and strict recommendation from DNSC is that victims of ransomware attacks should not contact or negotiate with cyber attackers, in order not to encourage and finance this criminal phenomenon.

We recommend that the IT&C teams of the National Administration "Romanian Waters" or the basin administrations not be contacted, so that they can focus on restoring IT services.

We will return with details as we have more information.

👉Press contact:

Communication, Media and Marketing Department – ​​media@dnsc.ro

 – 0742999649👈

Romanian Waters