Why write viruses when there's Windows? How a standard utility became a weapon against an entire country.
Another critical infrastructure facility has fallen victim to extortionists.
Another critical infrastructure facility has fallen victim to extortionists.
A major incident caused by ransomware occurred at Romania's largest coal-based energy enterprise, Oltenia Energy Complex. The attack, recorded on the night of December 26, led to disruptions in digital systems and temporary unavailability of a number of internal services. Although production processes were partially disrupted, the national energy supply remained stable.
Oltenia Energy Complex (CE Oltenia) is a key electricity supplier in Romania, using lignite coal. The company operates 12 power units at sites in Rovinari, Turceni, and Craiova, and also develops 15 open-pit mines, extracting between 15 and 18 million tons of coal per year. In recent years, the enterprise has been undergoing restructuring and actively investing in new energy sources, including solar power plants and gas units. Currently, the number of employees is about 10,000 people.
The cyber incident was caused by ransomware called Gentlemen. As a result of the attack, internal documents were encrypted, and the operation of key business applications was disrupted, including resource management systems, document flow, corporate email, and the official website. The company's specialists promptly isolated the affected nodes and began restoring operations on backup platforms. Simultaneously, an internal investigation is underway to determine the scope of the breach and potential data leakage.
It is reported that notifications about the incident were sent to the National Cybersecurity Directorate and the Ministry of Energy. Furthermore, the company filed an official statement with the Directorate for Investigating Organized Crime and Terrorism. It is not yet known whether the attackers had access to confidential information. It is also unconfirmed whether ransom negotiations took place; however, the very fact that the company is not listed on the Gentlemen group's leak site may indicate that contact between the parties is still ongoing.
This is the second major incident in Romania in recent weeks. Previously, the National Water Management Administration of the country was subjected to a similar attack. At that time, the malware affected about a thousand systems in the central office and ten regional branches. Servers for geographic information systems, databases, email and web services, as well as computers with the Windows operating system and domain name servers were encrypted. However, infrastructure related to water management was not affected, and supply continued without interruption.
According to experts studying the incident, the attacks utilized a built-in Windows encryption feature—BitLocker. The attackers left demands to make contact within seven days, but the exact method of system infiltration has not yet been determined.
