Breaches

Qilin Ransomware Gang Breaches Romania's National Oil Pipeline Operator Conpet, Claims 1TB Data Theft

Zero Day Wire

12 Feb 2026 — 1 min read

Romania's national oil pipeline operator Conpet S.A. has confirmed that the Qilin ransomware group breached its corporate IT infrastructure and stole company data in an attack last week, marking another critical infrastructure target hit by the increasingly aggressive ransomware operation.

Conpet S.A. is a strategic company controlled by the Romanian Ministry of Energy, operating a 3,800 km pipeline network transporting crude oil, gas, and condensate across Romania.

Attack and Response

The company disclosed the incident the day after the breach, stating that while corporate IT systems were compromised, pipeline operations remained unaffected. Conpet is collaborating with the Romanian National Cyber Security Directorate (DNSC) on the investigation and says it cannot yet determine the full scope of data stolen.

Qilin's Claims

The Qilin ransomware gang claims to have exfiltrated nearly 1TB of documents from Conpet's systems. As proof of the breach, the group leaked a sample of 16 images of internal documents containing financial information and passport scans. Some documents are marked as confidential with dates as recent as November 2025 and include personal information — names, postal addresses, personal identification numbers, and bank account numbers.

Fraud Risk

Conpet warned that the compromised data may be exploited for fraudulent activities and advised potentially affected individuals to be wary of urgent requests over phone, email, or other channels. The company noted that scammers frequently impersonate employees of well-known organizations to extract personal and financial information.

Recommendation

Organizations in the energy and critical infrastructure sector should monitor for Qilin ransomware TTPs, which have escalated significantly in 2025-2026 with the group targeting healthcare, government, and now energy infrastructure. The operational technology and pipeline systems reportedly remained unaffected in this incident, but the breach of corporate IT containing sensitive personnel and financial data presents significant downstream risk. Verify any communications purporting to come from Conpet through official channels only.

PayPal Confirms Six-Month Data Exposure After Loan System Code Error Leaked Social Security Numbers

PayPal has confirmed a data exposure incident affecting its Working Capital (PPWC) business loan service, where a software code change left sensitive customer information accessible for nearly six months before being detected. The exposure ran from 1 July 2025 to 12 December 2025, when the error was finally discovered and

AWS Reports 600+ FortiGate Firewalls Compromised in AI-Augmented Campaign by Russian-Speaking Cybercrime Group

A financially motivated Russian-speaking cybercrime group compromised more than 600 internet-exposed FortiGate firewalls across 55 countries in just over a month, using off-the-shelf generative AI tools to scale an operation that would traditionally require a well-resourced team, according to a new incident report from AWS. The campaign, which ran from

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

Elastic Security Labs has disclosed a new ClickFix campaign that leverages compromised legitimate websites as delivery infrastructure to deploy a previously undocumented remote access trojan dubbed MIMICRAT (also tracked as AstarionRAT). The campaign, discovered earlier this month, demonstrates significant operational sophistication — from multi-stage PowerShell chains that bypass Windows security controls

ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse

A new wave of attacks is combining voice phishing (vishing) with OAuth 2.0 device authorization abuse to compromise Microsoft Entra accounts at technology, manufacturing, and financial organizations — bypassing traditional phishing infrastructure entirely. Sources told BleepingComputer they believe the ShinyHunters extortion gang is behind the campaigns, which the threat actors