Romania’s oil pipeline operator hacked
3rd March 2026In early 2026, Romania’s national oil pipeline operator, Conpet, was hit by a Qilin ransomware attack that appears to have started with something deceptively simple, an infostealer infection on a single personal device used by an internal IT administrator.
This incident, and its similarities to the Colonial Pipeline attack in the United States, offers important lessons for both security teams and business leaders who rely on cyber insurance as a key part of their risk strategy.
In February 2026, the Qilin ransomware group claimed responsibility for an attack on Conpet, Romania’s state‑controlled oil pipeline operator. The group alleged that it had stolen nearly a terabyte of data, including financial records, contracts, and internal documents – information that can be used for extortion, fraud, and long‑term pressure on the victim.
Subsequent analysis by Hudson Rock believed to have linked the incident back to an earlier infostealer infection on 11 January 2026 on a Windows machine used by a Conpet IT administrator.
This device was used both for highly privileged corporate work and for personal activity and side businesses. When it was compromised, the infostealer quietly harvested credentials and system information and sent them to criminal operators.
From this single infection, attackers obtained a large set of credentials, including access to:
- VPNEmail (Outlook Web App)
- Network monitoring (such as Cacti)
- WSUS (Windows Server Update Services)
- Databases and infrastructure consoles
- Printer and other internal administration panels
In effect, the attackers gained both a map of Conpet’s internal environment and many of the keys needed to move around inside it. With valid WSUS credentials, the attackers could use the company’s own update infrastructure to push a malicious “fake update” containing Qilin ransomware to servers and workstations. The several‑week gap between the initial infection in January and the public disclosure in February suggests time spent on reconnaissance, privilege escalation, and planning before the full ransomware deployment.
This incident illustrates how a single unmanaged, dual‑use device can become a bridge from everyday personal activity to the core of a nation’s energy infrastructure.
How this compares to Colonial Pipeline
The Colonial Pipeline ransomware attack in May 2021 remains one of the most high‑profile examples of a cyber incident impacting critical energy infrastructure. In that case The DarkSide ransomware group used stolen VPN credentials to access Colonial’s IT network, reportedly via an unused account that did not have multi‑factor authentication enabled.
Once inside, the attackers exfiltrated data and encrypted key business systems, including billing and back‑office services.
Colonial chose to shut down its entire 5,500‑mile fuel pipeline network as a precaution, even though operational technology systems were not confirmed to be encrypted, leading to fuel shortages and panic buying across parts of the U.S. East Coast.
The company paid a ransom of about 75 bitcoin (around 4.4 million USD at the time), and a portion of that ransom was later recovered by U.S. authorities.
When comparing Conpet and Colonial, several themes stand out
Similar targets, both incidents involve national‑scale oil or pipeline operators, demonstrating that energy transport infrastructure is a prime target for financially motivated ransomware groups.
Credential‑driven access, In Colonial, attackers used stolen VPN credentials with no multi‑factor authentication. In Conpet, attackers leveraged an infostealer infection on a dual‑use admin device to harvest a broad set of high value credentials, including VPN and WSUS.
“Log in, don’t break in” tactics, In both cases, attackers relied on valid credentials rather than exotic zero‑day exploits. This lowers their cost and makes detection harder.
Data theft plus disruption, Both incidents combined data exfiltration with the threat or reality of operational disruption, enabling double‑extortion (threatening both downtime and data leakage).
Operational decisions, Colonial’s decision to shut down operations highlighted how IT centric attacks can force business and safety decisions with real‑world impacts. Conpet’s case shows how compromising central infrastructure like WSUS (Windows Server Update Services) or monitoring systems can undermine logical separation between IT and OT in practice. Does the overarching concern of property damage also then play a part in the decision making to shut down operations? Especially in core national infrastructure.
When IT and OT are tightly coupled through shared services, every architectural decision about connectivity carries an implicit property damage question, not just a data‑confidentiality question. Even though Conpet has said pipeline flows and SCADA were not affected in this case, the incident highlights how similar compromises at other operators have led to shutdowns or loss of visibility precisely to avoid unsafe conditions and physical damage.
The central message is that pipeline operators and energy infrastructure are now mature targets. Attackers understand the environment, know how to monetise access, and are willing to pressure operators using both data and operational risk.
These incidents are not only cybersecurity stories, they are also critical case studies in how modern cyber events translate into financial losses and insurance claims.
From the perspective of cyber insurance, both Conpet‑style and Colonial‑style attacks can trigger multiple parts of a cyber policy at once. Technical incident response and digital forensics, Legal, PR, and crisis‑management support, Data restoration and system recovery, First‑party business interruption and extra expense, Cyber extortion and ransom negotiation costs, Potential third‑party liability if customers, partners, or regulators suffer loss or allege negligence.
In Colonial’s case, the decision to shut down operations, the ransom payment, and the wider economic impact turned a single compromised VPN account into a multi‑faceted loss. Conpet’s scenario, with its broad credential exposure and critical role in national oil logistics, has similar potential.
These events reinforce the view of ransomware against critical infrastructure as a “catastrophe‑class” cyber peril, capable of creating concentrated, high‑severity losses for a single insured and ripple effects for many others.
Incidents like Conpet and Colonial should be reshaping underwriting expectations, particularly for critical infrastructure, energy, and organisations whose downtime can have systemic impacts.
Incidents like Conpet and Colonial should be reshaping underwriting expectations – especially for critical infrastructure, energy, and any organisation where downtime has systemic consequences. These events reinforce that cyber risk is dynamic, not a once‑a‑year form‑filling exercise.
This means:
- Continuous monitoring of security posture to catch exposed credentials, vulnerable services, and configuration drift.
- Use of external intelligence, including infostealer‑derived credential feeds and dark‑web activity, to spot when an organisation is already on an attacker’s radar.
- Closer collaboration between insurers, brokers, and insureds to identify control gaps and drive remediation, not just negotiate limits and premiums. For energy operators, critical infrastructure, and any sector with low tolerance for downtime, Conpet and Colonial highlight three priorities:
1. Protect identities and credentials as critical assets
Assume infostealers and credential‑harvesting campaigns are active – especially against administrators. Enforce MFA, limit the use of privileged accounts, and monitor continuously for compromised credentials.
2. Treat device governance as a business risk, not just IT hygiene
Unmanaged or dual‑use devices can become the weakest point in an otherwise strong environment. Clear policies, technical controls, and regular checks are essential.
3. Align security controls with cyber‑insurance expectations
Know how your security posture affects insurability, coverage, and pricing. Use insurance discussions to prioritise improvements that reduce both the likelihood and impact of an attack.