ctipilot.ch

ANCPI Romania cadastre cyberattack

incident · incident:ancpi-romania-cyberattack-2026-07

Multi-day outage of Romania's national cadastre/land-registry systems (e-Terra, RENNS, institutional email) beginning 14 July 2026, confirmed by ANCPI as a cyberattack. ByteToBreach claims citizen-data theft, a copied GitLab source-code server, ransomware deployment and backup deletion; ANCPI disputes any data compromise. Still unresolved as of 17 July 2026 (Help Net Security, Public Record, KELA).

Coverage timeline
1
first 2026-07-19 → last 2026-07-19
Peak priority
notable
1 notable
Sources cited
3
3 hosts
Sections touched
1
active-threats
Co-occurring entities
1
see Related entities below
ATT&CK techniques
6
pinned v19.1 · see below

ATT&CK techniques

6 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Initial Access TA0001

T1078Valid Accounts×1

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

Evidence: 2026-07-19/ancpi-romania-cadastre-cyberattack-bytetobreach · ATT&CK page ↗

T1190Exploit Public-Facing Application×1

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

Evidence: 2026-07-19/ancpi-romania-cadastre-cyberattack-bytetobreach · ATT&CK page ↗

Persistence TA0003

T1078Valid Accounts×1

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

Evidence: 2026-07-19/ancpi-romania-cadastre-cyberattack-bytetobreach · ATT&CK page ↗

Privilege Escalation TA0004

T1078Valid Accounts×1

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

Evidence: 2026-07-19/ancpi-romania-cadastre-cyberattack-bytetobreach · ATT&CK page ↗

Stealth TA0005

T1078Valid Accounts×1

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

Evidence: 2026-07-19/ancpi-romania-cadastre-cyberattack-bytetobreach · ATT&CK page ↗

Credential Access TA0006

T1110Brute Force×1

Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.

Evidence: 2026-07-19/ancpi-romania-cadastre-cyberattack-bytetobreach · ATT&CK page ↗

Collection TA0009

T1213Data from Information Repositories×1

Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, such as Credential Access, Lateral Movement, or Defense Evasion, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recipients outside of the organization (i.e., Transfer Data to Cloud Account).

Evidence: 2026-07-19/ancpi-romania-cadastre-cyberattack-bytetobreach · ATT&CK page ↗

Impact TA0040

T1486Data Encrypted for Impact×1

Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.

Evidence: 2026-07-19/ancpi-romania-cadastre-cyberattack-bytetobreach · ATT&CK page ↗

T1490Inhibit System Recovery×1

Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery. This may deny access to available backups and recovery options.

Evidence: 2026-07-19/ancpi-romania-cadastre-cyberattack-bytetobreach · ATT&CK page ↗

Story timeline

  1. 2026-07-19Romania's national cadastre agency ANCPI hit by a multi-day cyberattack; ByteToBreach claims citizen-data and e-Terra source-code theft plus ransomware
    active-threatsRomanian land-registry authority ANCPI down for days after a cyberattack; data-leak operator ByteToBreach claims theft and ransomware

Relationships explore in graph

Typed, source-stated connections from the entity registry — each edge cites the entry whose reporting establishes it.

attributed to

Where this entity is cited

  • active-threats1

Source distribution

  • helpnetsecurity.com1 (33%)
  • kelacyber.com1 (33%)
  • publicrecord.ro1 (33%)

Co-occurring entities

Derived — referenced by the same focused operational entries (weekly summaries and report roundups don't count); ×N counts the shared entries.

Entries about ANCPI Romania cadastre cyberattack (1)

2026-07-19 · view entry permalink →

NOTABLENATOB2

Romania's national cadastre agency ANCPI hit by a multi-day cyberattack; ByteToBreach claims citizen-data and e-Terra source-code theft plus ransomware

Romania's National Agency for Cadastre and Real Estate Publicity (ANCPI) — the government body operating the national land-registry and cadastre platforms (the e-Terra cadastral application and RENNS) that citizens, notaries, lawyers, banks and other authorities depend on for property transactions — has had all of its IT systems, including institutional email, offline since Tuesday 14 July 2026, in what it first called a "technical incident" before confirming a cyberattack; as of 17 July the systems remained down pending investigation (Help Net Security, 2026-07-16; Public Record, 2026-07-17). A threat actor using the alias ByteToBreach posted ANCPI data for sale on a dark-web forum on 15 July, claiming to hold Romanian-citizen records and various ANCPI databases, a copied GitLab server carrying the source code for e-Terra and RENNS, and to have deployed a ransomware variant (Help Net Security, 2026-07-16); in a screenshot the attacker published, he also states he began deleting the available backups (Public Record, 2026-07-17). ANCPI states the data it administers "has not been compromised as a result of this incident" — a position not yet reconciled with the attacker's claims.

KELA, which profiles ByteToBreach as a persistent data-leak operator active since June 2025, documents the actor's general initial-access tradecraft as "exploiting known vulnerabilities in cloud and corporate infrastructure, reusing stolen credentials harvested from infostealers and phishing, and at times resorting to brute force," with a victim list spanning government, banking and other sectors across multiple countries — a bank in Poland among the organizations that acknowledged their breaches (KELA Cyber, 2026-07-17). Public Record's investigation reports that ANCPI's ~1.5-million-lei framework contract for cybersecurity services required constant active services — a 24/7 call-centre, at-least-annual technical audits, and ongoing monitoring and intervention over 48 months — yet the contracted vendor's owner now characterises the firm as "just a license provider… like buying Microsoft licences on eMAG" and says he had no contractual obligation to detect an attack, a self-characterisation Public Record reports the contract's own terms directly contradict; the same reporting notes a similar December 2025 cyberattack on Romania's National Water Administration (ANAR, roughly 1,000 systems affected), an agency the same security vendors had also supplied (Public Record, 2026-07-17).

They claim to have compromised data of Romanian citizens and various ANCPI databases, made a copy of the agency's GitLab servers and the source code contained within, and deployed ransomware.

ANCPI stated that the data administered through its IT systems has not been compromised as a result of this incident.

Help Net Security 2026-07-16

Exploiting known vulnerabilities in cloud and corporate infrastructure, reusing stolen credentials harvested from infostealers and phishing, and at times resorting to brute force

KELA Cyber 2026-07-17
incident19 Jul 04:24Zmulti-sourceOpen finding ↗