DNS Crash Cause Reboot Loops Across Models 

Administrators Trace Impact to DNS Lookups and SNTP Defaults 

Workarounds Stabilize Networks as Root Cause Remains Unpatched 

Romania's National Directorate for Cyber Security disclosed that on Saturday a ransomware attack compromised approximately 1,000 IT systems belonging to the nation's water authority - known as Administrația Națională Apele Române. The attack impacted 10 of the country's 11 regional water basin administrations including Oradea, Cluj, Iași, Siret, and Buzău.

The attackers exploited BitLocker—a legitimate Windows encryption mechanism—for malicious purposes to lock files across the infrastructure and deliver a ransom note demanding contact within seven days.

The incident affected multiple critical systems including Geographical Information System (GIS) application servers, database servers, Windows workstations, Windows Server systems, email and web servers, and Domain Name Servers. Despite the extensive IT compromise, operational technologies remained unaffected, allowing normal operations to continue.

Hydrotechnical Structures Remain Secure

The Romanian water authority clarified that the operation of hydrotechnical structures continues solely through dispatch centers using voice communications. Hydrotechnical constructions remain secure and are operated locally by specialized personnel coordinated through dispatch centers.

The organization stressed that despite the IT infrastructure compromise, water management operations including dam control, flood management, and water distribution systems continue functioning normally through manual oversight and voice coordination protocols developed for such contingencies.

BitLocker Weaponized for Malicious Encryption

Following an initial technical evaluation, investigators determined attackers exploited BitLocker, a legitimate encryption mechanism for Windows operating systems, using it maliciously to produce file blocking through encryption across affected systems. This technique represents an evolution in ransomware tactics where threat actors leverage built-in security tools rather than deploying custom malware.

The attackers transmitted a ransom note demanding contact within seven days. The National Directorate for Cyber Security reiterated its strict policy and recommendation that ransomware attack victims will not contact or negotiate with cyber attackers to avoid encouraging and financing this criminal ecosystem.

The Cyber Express reached out to the media center of the DNSC to understand what data was compromised and which group had claimed responsibility of the attack but authorities recommended that IT teams at the National Administration of Romanian Waters or regional water administrations should not be contacted, allowing them to concentrate on restoring IT services without distraction from media inquiries or external pressure.

Also read: Russia-Linked Hybrid Campaign Targeted 2024 Elections: Romanian Prosecutor General

Infrastructure Not Protected by National Cyber Defense System

The investigation revealed that Romanian water authority infrastructure was not currently protected through the national protection system for IT infrastructures with critical importance for national security against threats from cyberspace.

Necessary procedures have now been initiated to integrate this infrastructure into systems developed by the National Cyber Intelligence Center for ensuring cyber protection of both public IT infrastructures and private ones with critical importance for national security through use of cyber intelligence technologies.

Technical teams from the Directorate, National Administration Romanian Waters, the National Cyber Intelligence Center within the Romanian Intelligence Service, affected entities, and other state authorities with competencies in cybersecurity are actively involved in investigating and limiting the impact of the cyber incident.