Ransomware Attack Disrupts IT Systems at Oltenia Energy Complex Without Affecting Romania’s Power Supply

By Ash K
Ransomware Attack Disrupts IT Systems at Oltenia Energy Complex Without Affecting Romania’s Power Supply

Romania’s largest coal based energy producer, Oltenia Energy Complex, has confirmed it was hit by a ransomware attack that disrupted internal IT systems but did not impact national energy production or electricity supply. The incident highlights the persistent cyber risk facing critical infrastructure operators, even when operational technology remains insulated from corporate networks.

Authorities and company officials have stressed that power generation and delivery continued without interruption, while investigations into the attack and recovery efforts remain ongoing.

Detection of the ransomware attack

The attack was detected after Oltenia Energy Complex identified abnormal behaviour across parts of its information technology environment. Access to certain internal systems was disrupted, prompting the company to initiate incident response procedures and isolate affected assets to prevent further spread.

Early assessments indicated that the incident was confined to IT systems and did not extend into operational technology used for electricity generation.

Impact on operations and services

Despite the ransomware infection, Romanian authorities confirmed that national energy operations were not affected. Coal extraction, power generation, and grid delivery continued to function normally throughout the incident.

This separation between corporate IT and operational systems played a critical role in limiting the real world impact of the attack.

Suspected involvement of the Gentlemen ransomware group

Investigators believe the attack may be linked to the Gentlemen ransomware group, a threat actor associated with data encryption and extortion campaigns against industrial and public sector organisations. Attribution remains preliminary, and investigations are continuing to confirm the group’s involvement.

Like many ransomware operations, the suspected group is known for targeting organisations where disruption can apply pressure during recovery.

Use of backups in recovery efforts

Oltenia Energy Complex has stated that backups are being used to restore affected systems. The availability of functional backups has allowed the company to begin recovery without engaging with attackers or paying a ransom.

Restoration efforts are being conducted carefully to ensure systems are clean before being brought back online.

Role of authorities and investigation status

Romanian authorities are working alongside the company to investigate the incident, determine the initial access vector, and assess whether any data exfiltration occurred. At this stage, there has been no public confirmation that sensitive data was stolen.

Law enforcement involvement reflects the critical infrastructure status of the organisation and the potential national security implications of such attacks.

Why critical infrastructure remains a target

Energy producers continue to be attractive targets for ransomware groups due to their economic importance and the potential impact of disruption. Even when operational systems are protected, attackers may target corporate IT environments to steal data or apply reputational and regulatory pressure.

The Oltenia Energy Complex incident demonstrates that attackers do not need to directly affect power generation to cause concern and operational strain.

Importance of IT and OT segmentation

The limited impact of the attack underscores the importance of strong segmentation between IT and operational technology networks. By preventing lateral movement into control systems, organisations can significantly reduce the risk of physical disruption.

This architectural separation is increasingly viewed as a foundational requirement for critical infrastructure cybersecurity.

Lessons for energy sector organisations

The incident reinforces the value of tested backups, incident response planning, and early detection capabilities. Ransomware preparedness is not solely about prevention, but also about ensuring rapid recovery without capitulating to extortion.

Energy operators are also being urged to conduct regular assessments of third party access, credential hygiene, and phishing resilience.

Broader implications for Romania’s energy security

While the attack did not disrupt power supply, it highlights the ongoing cyber threat environment facing Romania’s energy sector. As geopolitical tensions and cybercrime activity continue to rise, energy providers remain high value targets.

Incidents like this are likely to influence future investment in cybersecurity and regulatory oversight across the sector.

What happens next

Recovery efforts at Oltenia Energy Complex are continuing, with systems gradually being restored from backups. Investigators are expected to release further findings as forensic analysis progresses.

For the wider critical infrastructure community, the attack serves as a reminder that resilience, segmentation, and recovery planning are key to limiting the impact of ransomware in essential services.

Ash K
Ash K
Ashton is a seasoned Cybersecurity Professional with over 25 years of experience in Cybersecurity Research, Cybersecurity Incident response, Products and Security Solutions architecture.