>samit_hota
Back to advisories
SH-2026-139HighOpen

Romania's National Land Registry Hit by Cyberattack, Data Theft Claimed

Samit Hota·
CVE ID
N/A
CVSS Score
N/A
Affected Products
Romania's National Agency for Cadastre and Land Registration (ANCPI), e-Terra cadastre and land registry app, Romanian citizens' data (alleged)
#news#romania

Overview

Romania’s National Agency for Cadastre and Land Registration (ANCPI) suffered a significant cyberattack that led to a major disruption of its e-Terra cadastre and land registry application. Initially reported as a “major technical incident” on July 14, the disruption was officially confirmed as a cyberattack on July 16, 2026. The incident has caused the e-Terra application to become unavailable, severely stalling real estate transactions across the country. A threat actor operating under the alias “ByteToBreach” has claimed responsibility, attempting to sell data allegedly stolen from ANCPI on a dark web forum. The claims include compromised data of Romanian citizens, various ANCPI databases, a copy of the agency’s GitLab servers, and source code, alongside the deployment of ransomware. While ANCPI has stated that data administered through its IT systems has not been compromised as a result of this incident, the conflicting claims from the threat actor, supported by provided screenshots, suggest a more severe compromise.

Technical Details

While ANCPI has not publicly detailed the technical specifics of the cyberattack, the threat actor ByteToBreach’s claims provide some insight. ByteToBreach alleged the compromise of ANCPI’s databases, the exfiltration of data pertaining to Romanian citizens, and the successful deployment of ransomware within the agency’s systems. The threat actor also claimed to have copied the contents of ANCPI’s GitLab servers, including source code. ByteToBreach, as a known entity in cyber threat intelligence circles, is noted for using a diverse set of attack methodologies. These often include exploiting known vulnerabilities in cloud and corporate infrastructure, leveraging stolen credentials harvested from infostealers and phishing campaigns, and sometimes resorting to brute force or misconfiguration-based access to establish initial footholds. Once inside a target network, their focus typically shifts to data exfiltration—targeting employee records, databases, backups, and sensitive documents—which are then sold or leaked to validate their claims and pressure victims. The provision of screenshots as proof by ByteToBreach during the intrusion, as flagged by Dark Web Informer, adds credibility to their assertions, despite ANCPI’s denial of data compromise. The disruption to the e-Terra application further indicates a significant impact on ANCPI’s operational technology or IT infrastructure.

Real-World Impact

The cyberattack on Romania’s National Agency for Cadastre and Land Registration has immediately stalled real estate transactions across Romania, creating significant economic and administrative disruption. Citizens, businesses, and legal professionals relying on the e-Terra application for property registration, verification, and other land-related services are directly impacted by the outage. The alleged compromise of Romanian citizens’ data, if confirmed, could lead to widespread privacy violations, identity theft, and subsequent financial fraud. The exfiltration of sensitive databases, including potential citizen records and source code from GitLab servers, poses a long-term risk for future targeted attacks and intellectual property theft. Even if data compromise is eventually proven to be limited, the prolonged unavailability of a critical government service like the land registry undermines public trust and creates substantial logistical challenges. For ANCPI, the incident necessitates extensive recovery efforts, a thorough forensic investigation, and likely significant investment in bolstering its cybersecurity posture to prevent recurrence.

Threat Landscape

The cyberattack on ANCPI aligns with a broader trend of sophisticated cybercriminal and state-sponsored groups targeting critical government infrastructure. Land registries, holding vast amounts of sensitive personal and property data, are high-value targets for both data monetization and disruptive purposes. The use of ransomware, coupled with data exfiltration (double extortion), is a common tactic employed by groups like ByteToBreach, maximizing leverage over victims. The involvement of a known threat actor with a track record of substantiated claims highlights the professionalization of cybercrime. The threat landscape for government agencies is characterized by persistent attempts to exploit known vulnerabilities, weak access controls, and social engineering to gain initial entry. The potential for the leaked source code to reveal further vulnerabilities, or for citizen data to be used in future phishing campaigns, underscores the evolving and multi-layered nature of these threats.

Remediation

Immediate remediation efforts for ANCPI must prioritize restoring the e-Terra application and ensuring data integrity and availability. This includes forensic analysis to confirm the full scope of the breach, identify all compromised systems, and eradicate the threat actor’s presence. Critical systems must be isolated, sanitized, and rebuilt from trusted backups. Robust endpoint detection and response (EDR) solutions should be deployed, alongside enhanced network monitoring. Given the claims of data exfiltration, ANCPI should prepare for potential data breach notification requirements and offer support services to affected citizens. From a preventative standpoint, ANCPI must enhance its vulnerability management program, ensuring timely patching of all systems, particularly internet-facing ones. Implementing multi-factor authentication (MFA) across all internal and external access points, strengthening access controls, and regularly auditing configurations, especially for development environments like GitLab, are crucial. Comprehensive security awareness training for all employees, focusing on identifying phishing and social engineering attempts, is also vital to reduce initial compromise vectors. Engaging with cybersecurity experts to conduct penetration tests and security audits will help identify and mitigate existing weaknesses.

Found something similar in your stack?

Let's find out before it becomes an incident.

Book an advisory call