How to Map CVE-2026-0257 Exposure Using Shodan?
A technical guide on mapping the Palo Alto GlobalProtect CVE-2026-0257 vulnerability using Shodan OSINT and Nuclei templates, without executing...
ANCPI and MIPE suffered major cyberattacks in July 2026. Learn why flat networks caused nationwide outages and how to audit your BCDR against similar threats.
In the space of three days, two Romanian public institutions that citizens and businesses depend on were taken offline by cyberattacks. On 14 July the National Agency for Cadastre and Land Registration (ANCPI) lost its e-Terra land registry platform, and by 16 July the Ministry of Investments and European Projects (MIPE) confirmed that one of its procurement applications had been hit. Both agencies initially reached for cautious language, "technical incident" at ANCPI, "cybernetic incident" at MIPE, before the picture hardened into what it plainly is: a data-integrity and availability crisis in the systems that underpin property rights and EU-funded investment in Romania.
The headline for a board or a minister is short. The attacks froze real estate transactions nationwide and disrupted EU-funds procurement at a moment when the government is finalizing its PNRR revision and a multi-billion-euro payment request to Brussels. The technical facts are still being established, and some of the most serious claims (data exfiltration, stolen source code, deleted project databases) come from the attacker and from unnamed sources rather than from forensic confirmation. That gap between claim and confirmation is exactly where the response has to be disciplined. This paper sets out what is confirmed, what is claimed, what it means, and what to do first.
On Tuesday 14 July, ANCPI's e-Terra application, the system through which cadastral records and land-book extracts are managed, became unavailable. The agency first described it as a major technical failure, then confirmed it as a cyberattack. The disruption was not limited to e-Terra: reporting indicates the agency's applications more broadly, including email, went dark, which points to a large internal blast radius rather than a single exposed service.
ANCPI's public line is that the data it administers was not compromised, and that the circumstances are being investigated by the competent state authorities. On 15 July the agency estimated e-Terra would stay offline through the end of the week. Later communications acknowledged this as the most serious technical incident in the agency's history.
Against that, a threat actor using the alias ByteToBreach claimed responsibility and began advertising ANCPI data for sale on a dark web forum. The actor claims to hold citizen data and internal databases, to have copied the agency's GitLab servers including source code, and to have deployed ransomware. The same actor was linked to an attack on Latvia's state forestry body the previous month. None of the exfiltration or ransomware claims has been independently confirmed at the time of writing, and they sit in direct tension with ANCPI's statement that data was not compromised. Both positions cannot be fully true; the resolution will come from forensics, not from press statements.
On Thursday 16 July, MIPE confirmed that its "Achizitii Beneficiari Privati" application, used by private beneficiaries to run procurement procedures for Cohesion Policy projects, was the target of a cyber incident and was inaccessible. The National Cyber Security Directorate (DNSC) confirmed it had been notified the same day through the national incident reporting platform (PNRISC) and was supporting the response alongside other authorities.
MIPE was emphatic on one point: the affected application is not the PNRR platform, and the PNRR platform remained functional. That clarification was a direct response to reporting, sourced to people inside the ministry, that attackers had compromised MIPE systems and deleted the database of PNRR projects and beneficiaries. Whether data was only deleted, or also copied before deletion, and whether it was recoverable from backups, was not established publicly. The government's own framing, from President Nicusor Dan, was that the attack is regrettable but part of a continuing contest, set against the thousands of attacks aimed at European institutions in recent years.
The timing matters. The incident landed as the government finalized the third revision of its PNRR and prepared Payment Request no. 5 to the European Commission, a submission with a gross value in the region of 2.66 billion euro tied to dozens of reform and investment milestones. An availability or integrity problem in the systems that evidence those milestones is not just an IT outage; it touches the country's standing with its largest funder.
Read on their own, two outages in one week look like bad luck. Read against the last two years, they look like a trend. Romania's public sector has absorbed a steady run of serious incidents: the December 2025 ransomware attack on the national water administration (Apele Romane) that encrypted roughly a thousand systems across ten of eleven basin administrations using Windows BitLocker; the February 2024 Backmydata ransomware that forced more than a hundred hospitals offline; the Lynx compromise of the electricity operator Electrica; and, going back further, the 2022 Killnet DDoS wave. The common thread is not a single actor or technique. It is a large public estate with uneven security maturity, high-value data, and services that citizens cannot easily do without.
For both ANCPI and MIPE, the initial access vector has not been disclosed. It would be irresponsible to assert a cause. What can be said is which weaknesses tend to enable incidents of this shape, and they are worth naming because they are also where remediation lives:
If the attacker claims hold up, the relevant techniques for defenders to reason about are data theft to an external service (T1567, Exfiltration Over Web Service), destructive impact on data (T1485, Data Destruction, consistent with the reported PNRR database deletion at MIPE), inhibition of recovery such as removing backups or volume shadow copies (T1490), and encryption for impact (T1486). The Apele Romane case last December is instructive here because it showed a legitimate tool, BitLocker, being turned into the encryption mechanism (T1486 combined with T1562, Impair Defenses). Detection has to focus on the behavior, mass encryption, mass deletion, backup tampering, large outbound transfers, not on a specific malware signature.
For ANCPI, the immediate operational cost is a nationwide freeze on property transactions, which ripple into notaries, banks, and buyers mid-purchase. The longer-tail risk is to data. If citizen and cadastral records were exfiltrated, the exposure is not transient: land ownership and personal data support title fraud and targeted social engineering for years, and the incident becomes a personal-data breach with obligations under GDPR. The integrity of the land registry is foundational; public trust in it is not easily rebuilt.
For MIPE, the operational cost falls on private beneficiaries who cannot run procurement, and the strategic cost falls on the state's relationship with the Commission if project evidence is disrupted at payment time. If the PNRR project database was genuinely deleted and backups are sound, this is a recovery exercise. If backups are not sound, it is a reconstruction exercise, and a far more expensive one.
Prioritized by risk reduction against effort. The first three would have limited the damage in most of the incidents Romania has seen this year.
Residual risk is real and should be stated plainly: none of this makes a determined intrusion impossible. The purpose is to shrink what an intruder can reach, shorten how long they go unseen, and guarantee that the organization can recover on its own terms.
Both entities sit within the scope of the NIS2 Directive and its Romanian transposition as public administration operators of important services. That brings concrete obligations that this week will test in practice: risk-management measures proportionate to the threat, and timely incident reporting to the national CSIRT and DNSC, an early warning within the first day and a fuller notification within roughly three days of awareness. The notification to DNSC through PNRISC in the MIPE case is the reporting machinery working as intended. The harder question NIS2 asks is upstream: were the risk-management measures in place before the incident.
If personal data was exposed at ANCPI, GDPR obligations run in parallel: assessment of the breach, notification to the supervisory authority, and, depending on the risk to individuals, communication to those affected. This is a live consideration precisely because the attacker's exfiltration claim contradicts the agency's initial "no data compromised" statement, and the resolution has legal, not just technical, consequences.
DORA is worth mentioning only to set it aside: it governs financial-sector operational resilience and is not the relevant regime for these two bodies. Reaching for it here would be framework name-dropping, and it does not earn its place.
The uncomfortable takeaway is not that Romania was attacked. Every state is, constantly. It is that two foundational public systems could be pushed into multi-day outages, and that the most damaging questions, was data stolen, was it destroyed, can we recover cleanly, were still open days later. That uncertainty is itself a finding. It says the visibility and the recovery guarantees were not where they needed to be before the attack.
For any Romanian public institution watching this unfold, the next 30 days are the window to act on the assumption that it is next: confirm that public-facing apps are isolated from the crown jewels, that privileged access is behind phishing-resistant MFA, and that backups are offline, immutable, and provably restorable. Those three, done properly, are the difference between an incident and a catastrophe. The following 90 days are for the detection, national-integration, and rehearsed-response work that turns a good posture into a durable one.
Digitalization created the dependency. It now has to earn the trust, and trust here is measured in continuity and in the honesty of what an institution can say about its own data after a bad week.
Note on evidence: this paper distinguishes confirmed facts (the outages, the confirmation of cyberattacks, the DNSC notification) from claims made by the threat actor or by unnamed sources (data exfiltration, stolen source code, deleted PNRR database) and from official statements (ANCPI's "data not compromised," MIPE's "PNRR platform functional"). Where the initial access vector or the extent of data loss is not established, that is stated rather than assumed. Attribution to ByteToBreach rests on the actor's own claim and third-party dark-web monitoring; it should be treated as unconfirmed pending forensic findings.
A technical guide on mapping the Palo Alto GlobalProtect CVE-2026-0257 vulnerability using Shodan OSINT and Nuclei templates, without executing...
Learn how subdomain mismanagement can expand your attack surface and expose your enterprise to significant cybersecurity risks. Discover strategies...
Discover five critical insights from the NIS 2 Directive that every business leader must understand to ensure cybersecurity resilience and compliance.