Full Report
For the latest discoveries in cyber research for the week of 9th February, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Romania’s national oil pipeline operator, Conpet, has suffered a cyberattack that disrupted its IT systems and took its website offline. The company said operational technology, including pipeline control and telecommunications systems, remained […] The post 9th February – Threat Intelligence Report appeared first on Check Point Research.
Analysis Summary
# Incident Report: Conpet Cyberattack (Week of Feb 9th)
## Executive Summary
Romania's national oil pipeline operator, Conpet, suffered a cyberattack that resulted in the disruption of its IT systems and the temporary offline status of its public website. The attack was claimed by the Qilin ransomware group. Crucially, the operational technology (OT) environment, including pipeline control and telecommunications, remained functional, ensuring oil transport continued without interruption.
## Incident Details
- Discovery Date: Week of February 9th (Reported context week)
- Incident Date: Occurred during the week leading up to February 9th, 2026 (based on article date metadata)
- Affected Organization: Conpet (Romania’s national oil pipeline operator)
- Sector: Energy / Oil & Gas (Pipeline Operations)
- Geography: Romania
## Timeline of Events
### Initial Access
- Date/Time: Not specified, occurred prior to public acknowledgment during the week of February 9th.
- Vector: Implied via Ransomware execution (likely exploiting a known vulnerability or weak access control).
- Details: The attack led to the disruption of IT systems.
### Lateral Movement
- Details: Not detailed in the summary. Assumed to be present to impact multiple IT systems and the public website.
### Data Exfiltration/Impact
- Impact: Disruption of internal IT systems and the company website being taken offline.
- Crucially, the Operational Technology (OT) systems, including pipeline control and telecommunications, were **not** impacted and remained fully functional.
### Detection & Response
- Detection: The extent of the disruption led to public acknowledgment.
- Response Actions: The company confirmed that operational systems remained secure and functional. The scope of response actions beyond maintaining OT stability is not detailed.
## Attack Methodology
- Initial Access: Ransomware deployment claimed by **Qilin ransomware group**.
- Persistence: Not detailed.
- Privilege Escalation: Not detailed.
- Defense Evasion: Not detailed.
- Credential Access: Not detailed.
- Discovery: Not detailed.
- Lateral Movement: Not detailed.
- Collection: Not detailed (though ransomware deployment suggests data encryption was the likely goal, and exfiltration may have preceded encryption).
- Exfiltration: Not detailed.
- Impact: Primarily **IT System Shutdown** and **Website Defacement/Disruption**.
## Impact Assessment
- Financial: Not detailed.
- Data Breach: Not specified if customer or operational data was exfiltrated.
- Operational: **Minimal operational impact**; oil transport continued normally as OT environments were segregated/unaffected. IT systems and public-facing website were disrupted.
- Reputational: Negative impact due to public confirmation of a major cyberattack on critical national infrastructure.
## Indicators of Compromise
* **Threat Actor:** Qilin ransomware group.
* **File Indicators:** Ransomware payload files associated with Qilin (specific hashes not provided).
* **Behavioral Indicators:** Observed disruption of IT systems indicative of ransomware encryption/disruption activities.
## Response Actions
- Containment Measures: Effective isolation of the ransomware from Operational Technology (OT) environments.
- Eradication Steps: Likely involved forensic analysis, system rebuilding, and patching of exploited entry points.
- Recovery Actions: Restoration and remediation of affected IT systems and the public website.
## Lessons Learned
- **OT/IT Segmentation Success:** The primary success was the apparent segmentation between the corporate IT network and the critical OT network, preventing a catastrophic disruption to continuous operations (oil transport).
- **Ransomware Threat Persistence:** Major national infrastructure operators remain high-value targets for sophisticated financially motivated groups like Qilin.
## Recommendations
- Conduct thorough forensic analysis to determine the initial access vector used by the Qilin group against the IT environment.
- Review and enforce stricter network access controls, especially between IT and OT environments, to prevent future lateral movement attempts into critical control systems.
- Implement enhanced endpoint detection and response (EDR) capabilities across the entire IT infrastructure to detect and swiftly neutralize ransomware execution attempts.