KYIV, Ukraine — Recent ransomware attacks targeting Romania’s critical infrastructure were likely part of a broader Russian hybrid operation aimed at undermining the country’s stability, Romania’s top cybersecurity official said.

Over the past several months, Romania has faced a series of large-scale ransomware incidents affecting key sectors, including the national water agency and energy providers.

Some of the attacks were claimed by or attributed to Russian-speaking ransomware groups, including Qilin and Gentlemen, which said they targeted Romania’s national oil pipeline operator and the country’s largest coal-based power producer.

While ransomware attacks are typically viewed as profit-driven criminal activity, Romanian authorities say the recent campaigns appear to align with broader Russian strategic interests.

“These attacks are systematic, well-prepared and often coincide with political decisions or social developments in Romania, particularly those linked to support for Ukraine,” Dan Cimpean, head of Romania’s National Cybersecurity Directorate, said on the sidelines of the Kyiv International Cyber Resilience Forum last week.

Cimpean said roughly 80% of cyber incidents detected in Romania are linked to criminal actors, many of whom he described as being backed by Russia.

“It’s in Russia’s interests to encourage those groups and make sure they are stronger and have financial autonomy,” he said. “That’s why they are asking for money and collecting ransoms.”

Romania does not have legislation explicitly banning private companies from paying ransom demands, though authorities strongly discourage such payments. For state-owned companies and government agencies, ransom payments are effectively impossible because such expenses cannot be legally justified, Cimpean said.

“We don’t negotiate with cyber terrorists,” he told Recorded Future News, adding that payments do not guarantee the recovery of stolen or encrypted data.

State-sponsored hacking groups are also active in Romania, Cimpean said, though he added their activity currently focuses more on maintaining access rather than conducting disruptive attacks.

Romania’s strategic position as a NATO and European Union member, with access to the Black Sea and strong support for Ukraine and Moldova, makes it a particularly attractive target for Russian hybrid operations.

During last week’s cyber forum in Kyiv, Ukraine, Moldova and Romania signed a memorandum aimed at strengthening regional cooperation against Russian cyber threats.

“Russia is trying to destabilize our social, political and economic life, undermine infrastructure and test our ability to respond every single day,” Cimpean said.

He added that Russian cyber activity could intensify even if fighting in Ukraine were to ease.

“The moment kinetic activities stop, Russia will definitely continue to operate in cyberspace, and we have to be prepared,” he said.

Romania is not alone in facing cyber pressure from Moscow-aligned actors. Polish authorities recently attributed a cyberattack targeting parts of the country’s energy infrastructure to Moscow-linked actors, while Moldovan officials have warned that Russia combined cyber and information operations to influence parliamentary elections earlier this year.

Dutch intelligence agencies also warned this month that Russia is intensifying cyberattacks, sabotage and covert influence campaigns across Europe, signaling a prolonged confrontation with the West.