Conpet, Romania’s national oil pipeline operator, confirmed a major cyberattack after the Qilin ransomware group claimed to have stolen nearly 1TB of sensitive data. Hudson Rock traced the breach to a single Infostealer infection on an IT employee’s personal computer on January 11, 2026, which leaked credentials (including WSUS and Cacti access) that enabled a likely full network takeover. #Qilin #Infostealer #Conpet #WSUS
Keypoints
- Hudson Rock identified the initial Infostealer infection on January 11, 2026, and indexed the data on January 12.
- The infected machine, DESKTOP-TCR5GQM, was a personal device used by an IT employee who also logged into critical Conpet systems.
- 268 credentials were exfiltrated from the device, including VPN, Cacti monitoring, and WSUS update server logins.
- Compromise of the WSUS server allowed attackers to distribute Qilin ransomware as a fake update to all endpoints.
- The weeks-long gap between the Infostealer infection and public disclosure gave the attackers time to perform reconnaissance and move laterally.