Romania’s Conpet Confirms Data Theft After Cyberattack, Qilin Ransomware Claims Responsibility
5 min. read 
Published on
Romania’s national oil pipeline operator, Conpet S.A., has confirmed that company data was stolen following a cyberattack earlier this month that disrupted parts of its corporate IT environment and took its website offline. The incident did not affect the physical operation of the country’s oil transport network, according to public statements from the company.
The Russian-linked Qilin ransomware group has claimed responsibility for the attack on dark web forums and posted samples that it says prove it exfiltrated nearly one terabyte of data. These samples reportedly include internal documents, financial records and scans of passports.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Conpet says it is working with Romania’s National Cyber Security Directorate (DNSC) to investigate the breach and has filed a formal criminal complaint.
What Conpet Has Confirmed
Conpet S.A. issued an official notice following the incident. In that update, the company stated that attackers accessed corporate systems and that data exfiltration occurred. It notes that the issue is under investigation and the full scope of stolen data has not been determined.
Operations that control and manage Romania’s national oil transport infrastructure remain secure, and the physical pipelines continue functioning normally. The company emphasised that systems such as SCADA (supervisory control and data acquisition) and telecommunications were not affected by the cyber intrusion.
Conpet warned that compromised data may be misused for fraud or identity theft and advised caution when responding to unexpected contact attempts.
Qilin’s Claim and Leak Evidence
The Qilin ransomware gang added Conpet to its public leak site and claimed to have stolen nearly 1TB of internal documents. The group published a small sample that it says includes:
- Financial records
- Employee passport scans
- Internal administrative documents
The authenticity and full extent of the theft have not been independently verified by Conpet or external forensic teams.
Qilin is known for using a double-extortion model where data is stolen and then threatened with public disclosure to pressure victims into ransom negotiations.
How the Attack Affected Conpet
The incident primarily impacted Conpet’s corporate IT systems, including its public website, which remained unavailable for several days. Business applications, internal email and administrative services were disrupted while incident response and containment efforts were underway.
Despite the IT disruption, the company confirmed that it continued to deliver oil and petroleum products across its pipeline network without interruption. Conpet manages a strategic network of pipelines covering around 3,800 kilometres across Romania.
Context: Qilin’s Activity and Target Profile
Qilin is a ransomware-as-a-service (RaaS) group that emerged in 2022 and has become one of the most active threat actors targeting organisations globally. It has been linked to attacks on healthcare firms, energy sector companies and private enterprises in multiple countries.
Qilin and other ransomware gangs have shown continued interest in targeting infrastructure operators where corporate networks often serve as initial footholds, even when industrial control systems are segregated.
Immediate Company Advice and Public Warnings
Conpet is urging anyone who might have had data exposed to remain vigilant about suspicious communications, such as:
- Unsolicited phone calls
- Unexpected emails asking for personal or financial information
- Messages pretending to be internal staff or legitimate partners
The company is emphasising the importance of verifying the authenticity of communication by using official contact details rather than information provided in potentially fraudulent messages.
Event Timeline
| Date | Milestone |
|---|---|
| 3–4 Feb 2026 | Conpet first detects cyberattack on corporate IT infrastructure. |
| 5 Feb 2026 | Qilin ransomware lists Conpet on its dark web leak site claiming ~1TB of data stolen. |
| 6–8 Feb 2026 | Conpet confirms data exfiltration and begins investigation with DNSC. |
| Ongoing | Company and national authorities continue forensic analysis. |
Security and Wider Implications
Energy and transport infrastructure remain attractive targets for ransomware groups, partly because corporate IT systems often interact with many external partners. Disruptions in business networks can affect logistics, invoicing, communication and partner coordination despite industrial systems operating normally.
This attack is part of a broader pattern of ransomware incidents in Romania, which also include past breaches against water authorities and power producers.
FAQ
A: No. Conpet confirmed that operational pipeline systems and SCADA controls were not impacted by the cyberattack.
A: The Qilin ransomware gang claimed responsibility and stated it had stolen nearly 1TB of data.
A: Conpet has confirmed that data was stolen, but the full scope and content have not yet been independently verified beyond Qilin’s leak sample.
A: Samples released by Qilin reportedly include internal documents, financial information and passport scans.
A: Individuals are advised to watch out for suspicious messages and verify any urgent requests via official Conpet contact details.
A: Yes. Conpet is working with Romania’s National Cyber Security Directorate (DNSC) and has filed a criminal complaint.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages