Full Report
Romania's national oil pipeline operator, Conpet S.A., confirmed that the Qilin ransomware gang stole company data in an attack last week. [...]
Analysis Summary
# Incident Report: Qilin Ransomware Attack on Conpet S.A.
## Executive Summary
Conpet S.A., Romania’s national oil pipeline operator, was targeted by the Qilin ransomware group in a cyberattack that resulted in the exfiltration of approximately 1TB of corporate data. While the breach compromised sensitive company and personal information, the organization maintains that critical oil transport operations remained unaffected. The company is currently working with national authorities to investigate the scope of the leak and mitigate further risk.
## Incident Details
- **Discovery Date:** Week of February 2, 2026 (Reported Feb 12, 2026)
- **Incident Date:** February 2026
- **Affected Organization:** Conpet S.A.
- **Sector:** Critical Infrastructure / Energy (Oil Pipeline Operator)
- **Geography:** Romania
## Timeline of Events
### Initial Access
- **Date/Time:** Early February 2026
- **Vector:** Not explicitly disclosed (Qilin typically uses phishing or exploited VPN/RDP credentials).
- **Details:** Threat actors breached the corporate IT infrastructure.
### Lateral Movement
- **Details:** The attackers moved through the corporate network to access file servers containing financial records and employee/contractor identification documents.
### Data Exfiltration/Impact
- **Data Stolen:** Approximately 1TB of documents.
- **Proof of Life:** Seekers leaked 16 sample images containing financial info and passport scans.
- **Content:** Personal Identification Numbers (PINs), bank accounts, postal addresses, and confidential corporate documents dated as recently as November 2025.
### Detection & Response
- **Discovery:** Detected via unauthorized activity/ransomware deployment.
- **Response Actions:** Conpet issued a public press release the day after the incident. They engaged the Romanian National Cyber Security Directorate (DNSC) for a joint investigation.
## Attack Methodology
- **Initial Access:** Likely credential compromise or phishing (typical of Qilin TTPs).
- **Persistence:** Not disclosed.
- **Privilege Escalation:** Not disclosed.
- **Defense Evasion:** Not disclosed.
- **Credential Access:** Not disclosed.
- **Discovery:** Network scanning to locate sensitive financial and HR repositories.
- **Lateral Movement:** Standard Qilin techniques (likely RDP/SMB).
- **Collection:** Aggregation of ~1TB of internal documentation.
- **Exfiltration:** Data sent to Qilin's leak site infrastructure.
- **Impact:** Data theft and potential encryption (though operations remained functional).
## Impact Assessment
- **Financial:** Potential for GDPR-related fines and costs associated with forensic investigation.
- **Data Breach:** High. 1TB of data including passport scans, personal IDs, and bank details.
- **Operational:** Low. Critical pipeline infrastructure and transport operations were not affected.
- **Reputational:** Moderate. As a strategic national company, the leak of confidential government-linked energy data is a significant concern.
## Indicators of Compromise
- **Network indicators:** [h]xxps[:]//qilin[.]leak_site (Defanged)
- **File indicators:** Documents with timestamps up to Nov 2025; internal financial spreadsheets.
- **Behavioral indicators:** Large outbound data transfers to known ransomware double-extortion sites.
## Response Actions
- **Containment measures:** Isolation of the corporate IT infrastructure from critical operational technology (OT) networks.
- **Eradication steps:** Ongoing investigation with DNSC to purge threat actor presence.
- **Recovery actions:** Verification of data integrity and monitoring for fraudulent use of stolen credentials.
## Lessons Learned
- **OT/IT Segmentation:** The incident highlights the success of network segmentation, as the corporate breach did not migrate to the pipeline's operational controls.
- **Data Governance:** The presence of sensitive scans (passports) on accessible corporate networks suggests a need for stricter data encryption at rest and access controls.
## Recommendations
- **Identity Security:** Implement Multi-Factor Authentication (MFA) across all corporate entry points to thwart Qilin's primary access vectors.
- **Phishing Defense:** Enhanced email filtering and employee awareness training regarding urgent/fraudulent requests.
- **Data Loss Prevention (DLP):** Implement DLP solutions to detect and block the unauthorized outbound transfer of large volumes of data (~1TB).
- **Monitoring:** Targeted monitoring for impersonation scams targeting employees using the leaked personal data.