Cyber Security Insights

Two Confirmed Attacks in Three Days

Written by Madalin Staniu | Jul 17, 2026 2:32:54 PM

The July 2026 Attacks on Romania's ANCPI and MIPE

Executive summary

In the space of three days, two Romanian public institutions that citizens and businesses depend on were taken offline by cyberattacks. On 14 July the National Agency for Cadastre and Land Registration (ANCPI) lost its e-Terra land registry platform, and by 16 July the Ministry of Investments and European Projects (MIPE) confirmed that one of its procurement applications had been hit. Both agencies initially reached for cautious language, "technical incident" at ANCPI, "cybernetic incident" at MIPE, before the picture hardened into what it plainly is: a data-integrity and availability crisis in the systems that underpin property rights and EU-funded investment in Romania.

The headline for a board or a minister is short. The attacks froze real estate transactions nationwide and disrupted EU-funds procurement at a moment when the government is finalizing its PNRR revision and a multi-billion-euro payment request to Brussels. The technical facts are still being established, and some of the most serious claims (data exfiltration, stolen source code, deleted project databases) come from the attacker and from unnamed sources rather than from forensic confirmation. That gap between claim and confirmation is exactly where the response has to be disciplined. This paper sets out what is confirmed, what is claimed, what it means, and what to do first.

What happened

ANCPI (land registry), 14 July

On Tuesday 14 July, ANCPI's e-Terra application, the system through which cadastral records and land-book extracts are managed, became unavailable. The agency first described it as a major technical failure, then confirmed it as a cyberattack. The disruption was not limited to e-Terra: reporting indicates the agency's applications more broadly, including email, went dark, which points to a large internal blast radius rather than a single exposed service.

 

ANCPI's public line is that the data it administers was not compromised, and that the circumstances are being investigated by the competent state authorities. On 15 July the agency estimated e-Terra would stay offline through the end of the week. Later communications acknowledged this as the most serious technical incident in the agency's history.

 

Against that, a threat actor using the alias ByteToBreach claimed responsibility and began advertising ANCPI data for sale on a dark web forum. The actor claims to hold citizen data and internal databases, to have copied the agency's GitLab servers including source code, and to have deployed ransomware. The same actor was linked to an attack on Latvia's state forestry body the previous month. None of the exfiltration or ransomware claims has been independently confirmed at the time of writing, and they sit in direct tension with ANCPI's statement that data was not compromised. Both positions cannot be fully true; the resolution will come from forensics, not from press statements.

MIPE (EU funds), 16 July

On Thursday 16 July, MIPE confirmed that its "Achizitii Beneficiari Privati" application, used by private beneficiaries to run procurement procedures for Cohesion Policy projects, was the target of a cyber incident and was inaccessible. The National Cyber Security Directorate (DNSC) confirmed it had been notified the same day through the national incident reporting platform (PNRISC) and was supporting the response alongside other authorities.

MIPE was emphatic on one point: the affected application is not the PNRR platform, and the PNRR platform remained functional. That clarification was a direct response to reporting, sourced to people inside the ministry, that attackers had compromised MIPE systems and deleted the database of PNRR projects and beneficiaries. Whether data was only deleted, or also copied before deletion, and whether it was recoverable from backups, was not established publicly. The government's own framing, from President Nicusor Dan, was that the attack is regrettable but part of a continuing contest, set against the thousands of attacks aimed at European institutions in recent years.

The timing matters. The incident landed as the government finalized the third revision of its PNRR and prepared Payment Request no. 5 to the European Commission, a submission with a gross value in the region of 2.66 billion euro tied to dozens of reform and investment milestones. An availability or integrity problem in the systems that evidence those milestones is not just an IT outage; it touches the country's standing with its largest funder.

Analysis

These are not isolated events

Read on their own, two outages in one week look like bad luck. Read against the last two years, they look like a trend. Romania's public sector has absorbed a steady run of serious incidents: the December 2025 ransomware attack on the national water administration (Apele Romane) that encrypted roughly a thousand systems across ten of eleven basin administrations using Windows BitLocker; the February 2024 Backmydata ransomware that forced more than a hundred hospitals offline; the Lynx compromise of the electricity operator Electrica; and, going back further, the 2022 Killnet DDoS wave. The common thread is not a single actor or technique. It is a large public estate with uneven security maturity, high-value data, and services that citizens cannot easily do without.

Root cause is still open, and that is the honest position

For both ANCPI and MIPE, the initial access vector has not been disclosed. It would be irresponsible to assert a cause. What can be said is which weaknesses tend to enable incidents of this shape, and they are worth naming because they are also where remediation lives:

  • A public-facing application as the entry point (mapped conceptually to MITRE ATT&CK T1190, Exploit Public-Facing Application) or valid credentials obtained through phishing or reuse (T1078, Valid Accounts). Both are candidates; neither is confirmed.
  • A flat or poorly segmented internal network, inferred from the fact that at ANCPI the outage reached email and multiple applications, not just e-Terra. When one foothold can reach everything, the blast radius is the whole agency.
  • Reachable source-code infrastructure. The claim that GitLab servers and source code were copied, if true, points to developer infrastructure being accessible from a compromised position and holding secrets or credentials that widen access further (T1213, Data from Information Repositories).

The behaviors being claimed, in defensive terms

If the attacker claims hold up, the relevant techniques for defenders to reason about are data theft to an external service (T1567, Exfiltration Over Web Service), destructive impact on data (T1485, Data Destruction, consistent with the reported PNRR database deletion at MIPE), inhibition of recovery such as removing backups or volume shadow copies (T1490), and encryption for impact (T1486). The Apele Romane case last December is instructive here because it showed a legitimate tool, BitLocker, being turned into the encryption mechanism (T1486 combined with T1562, Impair Defenses). Detection has to focus on the behavior, mass encryption, mass deletion, backup tampering, large outbound transfers, not on a specific malware signature.

Impact

For ANCPI, the immediate operational cost is a nationwide freeze on property transactions, which ripple into notaries, banks, and buyers mid-purchase. The longer-tail risk is to data. If citizen and cadastral records were exfiltrated, the exposure is not transient: land ownership and personal data support title fraud and targeted social engineering for years, and the incident becomes a personal-data breach with obligations under GDPR. The integrity of the land registry is foundational; public trust in it is not easily rebuilt.

For MIPE, the operational cost falls on private beneficiaries who cannot run procurement, and the strategic cost falls on the state's relationship with the Commission if project evidence is disrupted at payment time. If the PNRR project database was genuinely deleted and backups are sound, this is a recovery exercise. If backups are not sound, it is a reconstruction exercise, and a far more expensive one.

Recommendations

Prioritized by risk reduction against effort. The first three would have limited the damage in most of the incidents Romania has seen this year.

Do first (limit the blast radius).

  1. Segment the network and isolate public-facing applications from internal repositories, email, and administrative systems. The lesson from the ANCPI outage is that one compromise should not be able to reach everything. Maps to CIS Control 12 and ISO/IEC 27001 Annex A 8.20 to 8.22.
  2. Enforce phishing-resistant MFA (FIDO2 hardware keys) on all privileged, remote, and administrative access. This closes the most common credential-based entry path. Maps to CIS Control 6, ISO 27001 A.8.5, NIST CSF PR.AA.
  3. Move backups to an offline, immutable, and regularly restore-tested model (a genuine 3-2-1 posture), and treat restore drills as a scheduled exercise, not a theoretical capability. This is the single control that turns a destructive attack into a recoverable one, and it speaks directly to the continuity gap that the deletion claims at MIPE expose. Maps to CIS Control 11, ISO 27001 A.8.13, NIST CSF PR.DS and RC.RP.

 

Do next (see it happening).

  1. Centralize logging and deploy EDR or XDR with behavioral detection tuned for the impact behaviors above: mass file encryption, abuse of BitLocker or other native encryption tools, bulk deletion, shadow-copy or backup tampering, and anomalous large outbound transfers. Express the detections as behavior, not signatures. Maps to CIS Controls 8 and 13, NIST CSF DE.CM.
  2. Connect the institution to the national cyber protection capability operated by the state (the point the water-authority case made painfully clear when it turned out that agency was not yet integrated). For public bodies this is both a defensive gain and, increasingly, an expectation.
  3. Secure the software supply chain: tight access control on source-code platforms, secrets scanning to keep credentials out of repositories, and immutable backups of the repositories themselves. The GitLab claim, whether or not it proves accurate here, is a realistic threat to any digitalized agency.

 

Do continuously (recover and govern).

  1. Maintain and rehearse an incident response plan, ideally with a retained responder on call, and run tabletop exercises against exactly these scenarios (destructive ransomware, mass data theft). An untested plan is a document, not a capability.
  2. Build manual fallback procedures for the most critical citizen-facing services so a systems outage does not become a total service outage. Property registration and EU-funds procurement both need a defined degraded-mode process.
  3. Follow the standing national guidance not to negotiate with or pay ransomware actors, and route all decisions through DNSC and law enforcement.

 

Residual risk is real and should be stated plainly: none of this makes a determined intrusion impossible. The purpose is to shrink what an intruder can reach, shorten how long they go unseen, and guarantee that the organization can recover on its own terms.

The regulatory angle

Both entities sit within the scope of the NIS2 Directive and its Romanian transposition as public administration operators of important services. That brings concrete obligations that this week will test in practice: risk-management measures proportionate to the threat, and timely incident reporting to the national CSIRT and DNSC, an early warning within the first day and a fuller notification within roughly three days of awareness. The notification to DNSC through PNRISC in the MIPE case is the reporting machinery working as intended. The harder question NIS2 asks is upstream: were the risk-management measures in place before the incident.

If personal data was exposed at ANCPI, GDPR obligations run in parallel: assessment of the breach, notification to the supervisory authority, and, depending on the risk to individuals, communication to those affected. This is a live consideration precisely because the attacker's exfiltration claim contradicts the agency's initial "no data compromised" statement, and the resolution has legal, not just technical, consequences.

DORA is worth mentioning only to set it aside: it governs financial-sector operational resilience and is not the relevant regime for these two bodies. Reaching for it here would be framework name-dropping, and it does not earn its place.

Conclusion and next steps

The uncomfortable takeaway is not that Romania was attacked. Every state is, constantly. It is that two foundational public systems could be pushed into multi-day outages, and that the most damaging questions, was data stolen, was it destroyed, can we recover cleanly, were still open days later. That uncertainty is itself a finding. It says the visibility and the recovery guarantees were not where they needed to be before the attack.

For any Romanian public institution watching this unfold, the next 30 days are the window to act on the assumption that it is next: confirm that public-facing apps are isolated from the crown jewels, that privileged access is behind phishing-resistant MFA, and that backups are offline, immutable, and provably restorable. Those three, done properly, are the difference between an incident and a catastrophe. The following 90 days are for the detection, national-integration, and rehearsed-response work that turns a good posture into a durable one.

Digitalization created the dependency. It now has to earn the trust, and trust here is measured in continuity and in the honesty of what an institution can say about its own data after a bad week.

References

  1. Help Net Security, "Romania's land registry hit by cyber attack, data allegedly for sale," 16 July 2026. https://www.helpnetsecurity.com/2026/07/16/romania-ancpi-cyber-attack/
  2. News4Hackers, "Cyber Attack on Romania Land Registry: Exposed Data for Sale," 16 July 2026. https://www.news4hackers.com/cyber-attack-on-romania-land-registry-exposed-data-for-sale
  3. OffSeq Threat Radar, "Romanian Government Cadastre (ANCPI) cyber attack / ransomware," July 2026. https://radar.offseq.com/threat/romanian-government-cadastre-ancpi-cyber-attack-ra-bf698d8f2d4e281d
  4. Digi24, "Atac cibernetic la MIPE. Nicusor Dan: Este nefericit, dar face parte dintr-o lupta in curs," 16 July 2026. https://www.digi24.ro/stiri/nou-atac-cibernetic-asupra-unei-platforme-publice-mipe-aplicatia-pentru-beneficiarii-privati-nu-poate-fi-accesata-3865395
  5. Puterea.ro, "Atac cibernetic la MIPE: Ministerul dezminte afectarea platformei PNRR," 16 July 2026. https://www.puterea.ro/atac-cibernetic-la-mipe-ministerul-dezminte-afectarea-platformei-pnrr/
  6. EVZ, "Atac cibernetic la Ministerul Proiectelor Europene. Surse: Baza de date cu proiectele PNRR ar fi fost stearsa," 16 July 2026. https://evz.ro/atac-cibernetic-la-ministerul-proiectelor-europene-surse-baza-de-date-cu-proiectele-pnrr-ar-fi-fost-stearsa.html
  7. StartupCafe, "Atac cibernetic la aplicatia pentru achizitii in proiectele europene," 16 July 2026. https://startupcafe.ro/atac-cibernetic-la-aplicatia-pentru-achizitii-in-proiectele-europene-103479
  8. BleepingComputer, "Romanian water authority hit by ransomware attack over weekend," 22 December 2025. https://www.bleepingcomputer.com/news/security/romanian-water-authority-hit-by-ransomware-attack-over-weekend/
  9. Security Affairs, "Romanian Waters confirms cyberattack, critical water operations unaffected," 22 December 2025. https://securityaffairs.com/186010/cyber-crime/romanian-waters-confirms-cyberattack-critical-water-operations-unaffected.html
  10. MITRE ATT&CK, Enterprise techniques referenced conceptually: T1190, T1078, T1213, T1486, T1485, T1490, T1567, T1562. https://attack.mitre.org/

Note on evidence: this paper distinguishes confirmed facts (the outages, the confirmation of cyberattacks, the DNSC notification) from claims made by the threat actor or by unnamed sources (data exfiltration, stolen source code, deleted PNRR database) and from official statements (ANCPI's "data not compromised," MIPE's "PNRR platform functional"). Where the initial access vector or the extent of data loss is not established, that is stated rather than assumed. Attribution to ByteToBreach rests on the actor's own claim and third-party dark-web monitoring; it should be treated as unconfirmed pending forensic findings.