When Trusted Built-In Software Tools Become Cyber Weapons

In December 2025, Romania’s National Water Administration experienced one of the most instructive cyber incidents seen recently in the critical infrastructure sector. The attack did not rely on exotic malware or zero day exploits. Instead, it exposed how architectural weaknesses, operational gaps, and overreliance on traditional IT security can allow attackers to disrupt essential services using legitimate system tools.

The incident affected close to 1,000 IT and OT systems across multiple regional water authorities. While water supply was not physically disrupted, the event revealed significant weaknesses in cyber resilience and operational security across the ecosystem.

The attackers began by quietly gaining access to the IT network. Entry points included exposed remote desktop services weakly protected VPN access and insufficient identity and privilege management. This initial phase was intentionally low noise, allowing the attackers to remain undetected while mapping the environment.

Once inside they moved laterally across the network using standard Windows administration tools. By exploiting the lack of strong separation between IT and OT environments the attackers were able to reach systems that support water management operations, including DNS file servers and GIS platforms. This convergence of IT and OT created a critical pathway that enabled the attack to scale.

The most notable aspect of the incident was the weaponization of BitLocker. Instead of deploying conventional ransomware, the attackers used Microsoft’s built-in disk encryption technology to lock systems. Through PowerShell and native Windows utilities, they enforced encryption policies at scale, including techniques that bypass standard hardware protections. Because these actions relied on legitimate operating system features, many security controls failed to identify the activity as malicious in real time.

As encryption spread across servers and workstations, core services, such as Active Directory and DNS, were disrupted. Operational visibility was reduced and regional water management systems experienced significant downtime. Only at this stage did ransom demands appear, accompanied by threats of prolonged disruption.

Several critical weaknesses emerged from the incident. First, the lack of effective separation between IT and OT networks allowed a compromise in one domain to cascade into another. Second, security monitoring was heavily signature-based and not designed to detect abuse of legitimate tools. Third, identity and access management practices allowed excessive privileges without sufficient oversight. Finally, backup strategies were insufficiently isolated, reducing recovery options under pressure.

This attack highlights a broader shift in the threat landscape. Modern adversaries no longer need custom malware to achieve strategic impact. By abusing trusted tools and exploiting architectural blind spots they can operate below the detection threshold of traditional defenses.

The key lesson is clear. Protecting critical infrastructure requires more than regulatory compliance or standard endpoint security. It demands behavioral monitoring, strict identity governance, meaningful IT and OT separation, and a resilience mindset that assumes compromise and plans for continuity.

For organizations responsible for essential services, this incident is not just a case study. It is a warning.