During the winter break, Romania experienced an onslaught of cyberattacks against two vital infrastructure sectors: the National Water Authority (ANAR) and a large energy production operation. It appears that the attacks occurred as part of a coordinated effort. As a result, the attacks caused operational disruptions and highlighted vulnerabilities in the delivery of essential services.
The most severe incident occurred with ANAR, the national water regulator in Romania
ANAR is responsible for managing Romania’s water resources, as well as flood control. According to Kurrant, ANAR was victimized by a ransomware attack that affected more than 1,000 of ANAR’s systems. As a result of the attack, officials had to shut down segments of ANAR’s system to limit the spread of the breach. Once inside the system, the attackers encrypted critical information and demanded a ransom from ANAR in exchange for restoring access to the stolen data.
At the same time, one of Romania’s largest electricity producers encountered a different type of attack
Although the scope of the damage resulting from this attack has not been completely detailed by the utility, it does appear that the attackers targeted operational technology systems, potentially creating the opportunity for cascading failures throughout the country’s electrical grid.
As a direct result of the ANAR’s systems failure, the authority’s ability to monitor floods and manage water resources was delayed. However, officials stated that drinking water supplies were unaffected by the failure. Teams responding to the emergency situation worked to recover functionality to the systems, however, some systems were unavailable for several days after the initial attack.
The attackers did not cause a disruption to the power supply
In terms of the utility, the attackers did not cause a disruption to the power supply, although the attack prompted the implementation of increased security procedures and short-term shutdowns of certain systems. Analysts in the industry are warning that such types of attacks could have serious implications should they escalate, such as causing blackouts or disrupting industrial operations.
The attackers reportedly employed sophisticated tactics to infiltrate the systems of the targeted organizations, including phishing e-mails and exploiting unpatched vulnerabilities to gain entry into the organizations’ internal networks.
Attribution of the attackers remains uncertain
Investigators are exploring the possibility that the attackers may be state-sponsored or organized cybercrime gangs. Romania’s cybersecurity agencies initiated an investigation into the incidents and are coordinating efforts with other international organizations to identify the source of the attacks.
Critical infrastructure operators urged to assess their security posture
The Romanian government’s National Cybersecurity Agency (ANAR) has advised all of Romania’s critical infrastructure operators to perform a security assessment and to apply the relevant patch as soon as possible on any vulnerable system. The agency and the energy operator have also stated that they will increase their defense measures. They intend to install advanced intrusion detection systems, train their personnel to recognize phishing attacks, etc.
The recent attacks against Romania’s critical infrastructure demonstrate the growing threat to critical infrastructure around the world. Increasingly, water and energy systems are becoming digitized, which makes them appealing to cyberattackers and hostile actors. Experts predict that ransomware attacks directed at critical infrastructure sectors could increase in frequency and severity, leading to significant economic and social impacts.
The recent attacks against Romania’s critical infrastructure serve as a wake-up call for governments and businesses to invest in cybersecurity.
As attackers develop increasingly sophisticated methods to compromise networks, having the capacity to respond rapidly to mitigate risks and build resilience will be crucial. Although the majority of services have been restored, the investigation is still underway. Additional information regarding the investigation, specifically whether sensitive information was compromised, is anticipated to be released by the authorities in the coming weeks.
