Source code for e‑Terra and related services
The screenshots show access to and a broad project tree covering payments, security, , validation, and components. The technical detail supports the screenshot's authenticity better than a bare file list.
Screenshots attributed to the attacker form a coherent path through authentication, the user directory, application servers, GitLab, monitoring, virtual infrastructure, backups and Active Directory. That strongly supports extensive access. It does not yet prove theft of the entire cadastral database.
This analysis separates three things: what the institution confirmed, what the screenshots show if authentic, and what the attacker claims without sufficient proof. Personal data, passwords, IP addresses and account names have been removed from the reproduced images.
Not every claim carries the same weight. Here, “probable” means several distinct screenshots reinforce one another and fit the publicly confirmed outage.
The screenshots show access to and a broad project tree covering payments, security, , validation, and components. The technical detail supports the screenshot's authenticity better than a bare file list.
, , a , , and expose servers, county offices, trust relationships and privileged accounts. Some screenshots show reversibly stored or plaintext passwords.
appears to be queried directly, returning names, email addresses and encrypted password fields. The attacker writes “around 2 million”; the screenshot supports access to the directory, not the total count by itself.
The screenshots indicate administrative access to and , datastore browsing and backup-deletion operations. This level of control makes whole-server exfiltration plausible, but the complete transfer is not shown.
If the attacker copied databases, virtual disks or backups, they may contain owners, property identifiers, land-book entries, encumbrances, plans, submitted documents and application histories. The public screenshots demonstrate the ability to reach these systems; they do not yet show a complete export of nearly 29 million properties.
Each stage explains access to the next. That does not automatically authenticate the images, but it is harder to fabricate convincingly than one spectacular screenshot.
A legacy identity service appears compromised, providing server execution.
/
The directory returns accounts and password fields; a key appears to decrypt some secrets.
/
Internal application servers provide further execution points and internal-network reach.
/ /
Code explains the applications; monitoring explains the topology and where high-value targets sit.
/
Virtualisation and backup are the points from which whole systems can be copied, stopped, encrypted or deleted.
The screenshot shows administrator and privilege-relationship enumeration, but the attacker says full takeover was not completed.
Images are reproduced only in heavily redacted form. The explanation preserves the public-interest value of the evidence without republishing passwords, accounts or personal data.
The screenshot shows a shell on an OpenAM server and a 10 July timeline. A shell does not automatically mean access to all data, but it provides an internal point from which lateral movement can begin.
LDAP records with names, emails and password fields are visible. In a separate panel, the attacker appears to test a key used to decrypt some secrets. The “two million” figure remains the attacker’s estimate.
The project tree includes e‑Terra components, payments, reports, security, single sign-on, APIs, validation and GIS. Java package names use the ANCPI domain. Together, these details make the GitLab claim highly credible.
Backup and virtualisation access does not merely provide files. It can provide whole server disks, snapshots, databases stopped in a consistent state and the ability to erase recovery mechanisms. The screenshots also show backup-deletion operations.
BloodHound appears to have collected domain administrators and thousands of control relationships. The attacker nevertheless says there was not enough time to gain full administration and describes only what could have been done with a domain-controller snapshot.
One screenshot attributed to the attacker appears to show equipment associated with several county offices using the same account and trivial password. If authentic, compromise of that account could open many offices at once.
Another screenshot attributed to the attacker appears to show credentials for a vSphere administrative account. This is the data centre’s electrical panel: a weak password here can turn a local breach into a nationwide shutdown.
These are inferences from screenshots, not findings from an official investigation. But the configuration shown is precisely how a vulnerability becomes an institutional disaster.
A critical identity service appears reachable through a known remote-execution route.
The same credential appears reused across equipment and offices, while a privileged account uses an easily guessed secret.
Management tools appear to store passwords in plaintext or in a form decryptable from the compromised environment.
From authentication, the attacker appears able to reach applications, development, monitoring, backup and virtualisation.
An attacker inside the network appears able to administer and delete the very copies used for recovery.
The screenshots do not show strong barriers such as MFA, password vaulting or isolated administrative workstations around key systems.
ANCPI statement, 15 July 2026“The data administered through ANCPI-managed IT systems is safe and was not compromised.”
The statement may mean data integrity was preserved—not necessarily that no access or copying occurred. The institution has not yet published its definition of “compromised,” the exfiltration indicators reviewed or a forensic report.
Read the statement ↗What was the date of first intrusion and how long did the attacker remain in the network?
Which systems were accessed: OpenDJ, GitLab, Zabbix, vCenter, Veeam, Active Directory, e‑Terra databases?
Is there evidence of external data transfer? What volume and to which destinations?
Were snapshots, virtual disks or complete backups downloaded?
Which categories of people and data are affected, and how many records are involved?
Were all credentials, certificates, API keys and secrets in Git history rotated?
Which offline or immutable backups survived, and from what date can systems be safely rebuilt?
Will an independent report be published, including root cause and corrective measures?
The OpenAM screenshot indicates an initial shell.
Pivots appear toward application servers, GitLab, Zabbix and other internal systems.
Screenshots show vSphere, Veeam, credentials and Active Directory collection.
ANCPI shuts down or loses access to all managed systems, including email and e‑Terra.
The institution confirms the attack and calls it the largest technical disruption in its history.
Media reports that material attributed to ANCPI is being offered for sale. HotNews, citing a source familiar with the incident, says authorities are investigating a possible ransom demand. Neither the scope of the data nor the demand has been officially confirmed.
Product names, project structures, topologies, hostnames and privilege relationships that match across screenshots.
Activity displayed from 10 to 13 July predates the general outage announced on 14 July.
Identity access explains application access; monitoring reveals targets; virtualisation and backup explain the scale of the shutdown.
ANCPI confirms the attack and all-system outage. KELA had already described ByteToBreach as technically capable but strongly self-promotional.
User counts, exfiltrated volume and claims of “complete” databases are not accepted without verifiable samples or forensic confirmation.
Data archives were not opened. Download links, passwords, personal addresses, accounts and details that could facilitate access are not republished.
Confirms the attack, outage of all systems including email and e‑Terra, and states that data was not compromised.
ancpi.ro ↗The homepage reported 28,977,942 managed properties on 13 July 2026.
ancpi.ro ↗Describes an operator with real technical activity and often credible claims, but also aggressive marketing and self-promotion.
kelacyber.com ↗They report the sale offer and claims concerning data and source code. HotNews adds, based on an unnamed source familiar with the incident, that authorities are investigating a possible ransom demand. This is not official confirmation.
Twelve images concerning OpenAM, OpenDJ, WebLogic, WebSphere, GitLab, source code, Zabbix, monitoring, vSphere, Veeam and Active Directory. Links to allegedly stolen archives are not reproduced.
New information from ANCPI, DNSC, the data-protection authority or investigators could change this assessment, especially a forensic report or an official data-breach notification.
The most defensible formulation is this: extensive access to infrastructure, code, accounts and credentials is strongly supported; copying some operational data and servers is plausible; complete theft of the national cadastral register is not yet publicly demonstrated.