Qilin Ransomware Hits Romania's Oil Pipeline Operator

Romania's national oil pipeline operator Conpet confirmed this week that a cyberattack disrupted its business IT systems and knocked its website offline. The Qilin ransomware group has claimed responsibility, alleging it stole nearly one terabyte of data and publishing sample documents—including financial records and passport scans—on its dark web leak site.

Conpet operates approximately 3,800 kilometers of pipelines that supply domestic and imported crude oil to refineries across Romania. The good news: operational technology stayed up. The company said its SCADA and telecommunications systems remained fully functional throughout the incident, meaning oil transport operations continued uninterrupted.

What We Know So Far

The attack targeted Conpet's corporate IT infrastructure rather than its industrial control systems, according to the company's public disclosure. The timeline looks like this:

• Conpet detected the intrusion and took its website offline
• IT specialists began containment and coordination with Romania's national cybersecurity authorities
• The company filed a criminal complaint
• Qilin listed Conpet on its leak site with sample data

The published samples reportedly include internal financial documents and employee passport scans—the kind of data that's useful for both extortion leverage and downstream fraud.

Qilin's Growing Target List

Qilin (also known as Agenda) is a Russian-speaking ransomware-as-a-service operation active since 2022. The group had a breakout year in 2025, and 2026 hasn't slowed them down. In January alone, Qilin was responsible for 17 attacks targeting healthcare organizations, and the group previously hit Covenant Health, exposing 478,000 patient records.

The Conpet attack marks another expansion into critical infrastructure. Energy companies are high-value targets for ransomware gangs because operational disruption creates immediate pressure to pay, even when OT systems aren't directly compromised. The threat of leaked sensitive documents adds a second layer of extortion.

Romania's Rough Stretch

This isn't Romania's first critical infrastructure hit in recent months. We covered the Romania water agency ransomware attack where attackers encrypted over 1,000 systems using BitLocker, and the Oltenia Energy ransomware incident that targeted one of the country's largest power producers.

Three major critical infrastructure attacks in a single country within a few months is a pattern, not a coincidence. Romania's energy and utilities sector appears to be systematically targeted, and the varied ransomware groups involved (Qilin, BitLocker-based, Gentlemen) suggest multiple independent actors have identified Romanian infrastructure as attractive.

The OT/IT Divide Held—This Time

The fact that Conpet's SCADA systems stayed operational is worth noting. Air-gapping or properly segmenting OT networks from corporate IT remains one of the most effective defenses against ransomware affecting physical operations. But it's not guaranteed. Plenty of organizations assume their OT is isolated when it isn't, and attackers who establish persistence in IT networks can eventually find paths to OT.

For security teams at energy companies, Conpet's experience reinforces two priorities: validate that your OT/IT segmentation actually works under adversarial conditions, and ensure your corporate IT resilience plan can sustain operations even when business systems go down.

Why This Matters

Critical infrastructure ransomware attacks have moved from rare events to routine ones. Qilin's hit on Romania's oil pipeline operator is the latest in a string that shows ransomware gangs are increasingly comfortable targeting organizations where a disruption could cascade into real-world consequences. The shift from opportunistic encryption to targeted data theft and extortion makes these attacks harder to ignore—even when operations continue, the stolen data becomes a weapon.