2026-07-19 · view entry permalink →
Romania's national cadastre agency ANCPI hit by a multi-day cyberattack; ByteToBreach claims citizen-data and e-Terra source-code theft plus ransomware
Romania's National Agency for Cadastre and Real Estate Publicity (ANCPI) — the government body operating the national land-registry and cadastre platforms (the e-Terra cadastral application and RENNS) that citizens, notaries, lawyers, banks and other authorities depend on for property transactions — has had all of its IT systems, including institutional email, offline since Tuesday 14 July 2026, in what it first called a "technical incident" before confirming a cyberattack; as of 17 July the systems remained down pending investigation (Help Net Security, 2026-07-16; Public Record, 2026-07-17). A threat actor using the alias ByteToBreach posted ANCPI data for sale on a dark-web forum on 15 July, claiming to hold Romanian-citizen records and various ANCPI databases, a copied GitLab server carrying the source code for e-Terra and RENNS, and to have deployed a ransomware variant (Help Net Security, 2026-07-16); in a screenshot the attacker published, he also states he began deleting the available backups (Public Record, 2026-07-17). ANCPI states the data it administers "has not been compromised as a result of this incident" — a position not yet reconciled with the attacker's claims.
KELA, which profiles ByteToBreach as a persistent data-leak operator active since June 2025, documents the actor's general initial-access tradecraft as "exploiting known vulnerabilities in cloud and corporate infrastructure, reusing stolen credentials harvested from infostealers and phishing, and at times resorting to brute force," with a victim list spanning government, banking and other sectors across multiple countries — a bank in Poland among the organizations that acknowledged their breaches (KELA Cyber, 2026-07-17). Public Record's investigation reports that ANCPI's ~1.5-million-lei framework contract for cybersecurity services required constant active services — a 24/7 call-centre, at-least-annual technical audits, and ongoing monitoring and intervention over 48 months — yet the contracted vendor's owner now characterises the firm as "just a license provider… like buying Microsoft licences on eMAG" and says he had no contractual obligation to detect an attack, a self-characterisation Public Record reports the contract's own terms directly contradict; the same reporting notes a similar December 2025 cyberattack on Romania's National Water Administration (ANAR, roughly 1,000 systems affected), an agency the same security vendors had also supplied (Public Record, 2026-07-17).
They claim to have compromised data of Romanian citizens and various ANCPI databases, made a copy of the agency's GitLab servers and the source code contained within, and deployed ransomware.
ANCPI stated that the data administered through its IT systems has not been compromised as a result of this incident.
Exploiting known vulnerabilities in cloud and corporate infrastructure, reusing stolen credentials harvested from infostealers and phishing, and at times resorting to brute force