Assessment updated 17 July 2026

The breach appears to have opened
nearly all of ANCPI's infrastructure.

Screenshots attributed to the attacker form a coherent path through authentication, the user directory, application servers, GitLab, monitoring, virtual infrastructure, backups and Active Directory. That strongly supports extensive access. It does not yet prove theft of the entire cadastral database.

How to read the evidence

This analysis separates three things: what the institution confirmed, what the screenshots show if authentic, and what the attacker claims without sufficient proof. Personal data, passwords, IP addresses and account names have been removed from the reproduced images.

What the evidence supports

What the attacker probably obtained

Not every claim carries the same weight. Here, “probable” means several distinct screenshots reinforce one another and fit the publicly confirmed outage.

High confidence

Source code for e‑Terra and related services

The screenshots show access to and a broad project tree covering payments, security, , validation, and components. The technical detail supports the screenshot's authenticity better than a bare file list.

High confidence

Credentials, configurations and the infrastructure map

, , a , , and expose servers, county offices, trust relationships and privileged accounts. Some screenshots show reversibly stored or plaintext passwords.

Medium-high confidence

A large user directory

appears to be queried directly, returning names, email addresses and encrypted password fields. The attacker writes “around 2 million”; the screenshot supports access to the directory, not the total count by itself.

Medium confidence

Virtual-machine images and backups

The screenshots indicate administrative access to and , datastore browsing and backup-deletion operations. This level of control makes whole-server exfiltration plausible, but the complete transfer is not shown.

Plausible, not fully demonstrated

Cadastral data and e‑Terra documents

If the attacker copied databases, virtual disks or backups, they may contain owners, property identifiers, land-book entries, encumbrances, plans, submitted documents and application histories. The public screenshots demonstrate the ability to reach these systems; they do not yet show a complete export of nearly 29 million properties.

Why the screenshots look coherent

The screenshots describe a path through the infrastructure.

Each stage explains access to the next. That does not automatically authenticate the images, but it is harder to fabricate convincingly than one spectacular screenshot.

Entry


A legacy identity service appears compromised, providing server execution.

Identities

/
The directory returns accounts and password fields; a key appears to decrypt some secrets.

Pivoting

/
Internal application servers provide further execution points and internal-network reach.

Knowledge

/ /
Code explains the applications; monitoring explains the topology and where high-value targets sit.

Control

/
Virtualisation and backup are the points from which whole systems can be copied, stopped, encrypted or deleted.

Domain


The screenshot shows administrator and privilege-relationship enumeration, but the attacker says full takeover was not completed.

Evidence atlas

What each screenshot family shows

Images are reproduced only in heavily redacted form. The explanation preserves the public-interest value of the evidence without republishing passwords, accounts or personal data.

Redacted screenshot representing initial access through an identity service
01

The entry point looks real and predates the outage

The screenshot shows a shell on an OpenAM server and a 10 July timeline. A shell does not automatically mean access to all data, but it provides an internal point from which lateral movement can begin.

Supports
initial compromise and persistence
Does not prove
cadastral-database exfiltration
Redacted screenshot representing the OpenDJ user directory
02

The identity directory appears directly queried

LDAP records with names, emails and password fields are visible. In a separate panel, the attacker appears to test a key used to decrypt some secrets. The “two million” figure remains the attacker’s estimate.

Supports
theft of or access to account data
Does not prove
that every password was recovered
Redacted screenshot representing ANCPI source-code projects
03

The code structure fits a real institutional platform

The project tree includes e‑Terra components, payments, reports, security, single sign-on, APIs, validation and GIS. Java package names use the ANCPI domain. Together, these details make the GitLab claim highly credible.

Supports
copying code and development history
Secondary risk
secrets in configurations or old commits
Redacted screenshot representing vSphere and Veeam
04

Access to Veeam and vSphere raises the severity

Backup and virtualisation access does not merely provide files. It can provide whole server disks, snapshots, databases stopped in a consistent state and the ability to erase recovery mechanisms. The screenshots also show backup-deletion operations.

Supports
administrative control and destructive impact
Does not prove
how many machines were actually copied
Redacted screenshot representing the Active Directory structure
05

Active Directory was mapped, but complete takeover is not shown

BloodHound appears to have collected domain administrators and thousands of control relationships. The attacker nevertheless says there was not enough time to gain full administration and describes only what could have been done with a domain-controller snapshot.

Supports
privilege enumeration and preparation for escalation
Evidence limit
completed domain control is not shown
Two screenshots published by the attacker

Access appears to have spread easily across offices and systems.

county office Aadministrator[same password]
county office Badministrator[same password]
county office Cadministrator[same password]

A generic credential repeated across offices

One screenshot attributed to the attacker appears to show equipment associated with several county offices using the same account and trivial password. If authentic, compromise of that account could open many offices at once.

virtual platformprivileged administrator[weak human-made password]
applicationsvirtual machinesbackup

A privileged account protected by a name-derived password

Another screenshot attributed to the attacker appears to show credentials for a vSphere administrative account. This is the data centre’s electrical panel: a weak password here can turn a local breach into a nationwide shutdown.

What appears to have failed

Six barriers that should have stopped the path

These are inferences from screenshots, not findings from an official investigation. But the configuration shown is precisely how a vulnerability becomes an institutional disaster.

01

Exposed legacy system

A critical identity service appears reachable through a known remote-execution route.

02

Shared, weak passwords

The same credential appears reused across equipment and offices, while a privileged account uses an easily guessed secret.

03

Reversible secrets

Management tools appear to store passwords in plaintext or in a form decryptable from the compromised environment.

04

Insufficient segmentation

From authentication, the attacker appears able to reach applications, development, monitoring, backup and virtualisation.

05

Backup in the same trust domain

An attacker inside the network appears able to administer and delete the very copies used for recovery.

06

Too little friction around privilege

The screenshots do not show strong barriers such as MFA, password vaulting or isolated administrative workstations around key systems.

The correct limits of the conclusion

What cannot yet be said

Not publicly demonstrated

  • that the complete database of nearly 29 million properties was extracted;
  • that “the data of all Romanian citizens” is included;
  • how many virtual machines, backups or databases were copied;
  • whether passwords seen in the screenshots remained active after the incident;
  • whether the attacker obtained full Domain Admin control.

“The data administered through ANCPI-managed IT systems is safe and was not compromised.”

ANCPI statement, 15 July 2026

The statement may mean data integrity was preserved—not necessarily that no access or copying occurred. The institution has not yet published its definition of “compromised,” the exfiltration indicators reviewed or a forensic report.

Read the statement ↗
What should be disclosed publicly

Eight answers that would clarify the incident

  1. 01

    What was the date of first intrusion and how long did the attacker remain in the network?

  2. 02

    Which systems were accessed: OpenDJ, GitLab, Zabbix, vCenter, Veeam, Active Directory, e‑Terra databases?

  3. 03

    Is there evidence of external data transfer? What volume and to which destinations?

  4. 04

    Were snapshots, virtual disks or complete backups downloaded?

  5. 05

    Which categories of people and data are affected, and how many records are involved?

  6. 06

    Were all credentials, certificates, API keys and secrets in Git history rotated?

  7. 07

    Which offline or immutable backups survived, and from what date can systems be safely rebuilt?

  8. 08

    Will an independent report be published, including root cause and corrective measures?

Visible timeline

The screenshots predate the shutdown

The OpenAM screenshot indicates an initial shell.

Pivots appear toward application servers, GitLab, Zabbix and other internal systems.

Screenshots show vSphere, Veeam, credentials and Active Directory collection.

ANCPI shuts down or loses access to all managed systems, including email and e‑Terra.

The institution confirms the attack and calls it the largest technical disruption in its history.

Media reports that material attributed to ANCPI is being offered for sale. HotNews, citing a source familiar with the incident, says authorities are investigating a possible ransom demand. Neither the scope of the data nor the demand has been officially confirmed.

Methodology

How evidence produced by the attacker was weighed

Technical specificity

Product names, project structures, topologies, hostnames and privilege relationships that match across screenshots.

Temporal coherence

Activity displayed from 10 to 13 July predates the general outage announced on 14 July.

Causal coherence

Identity access explains application access; monitoring reveals targets; virtualisation and backup explain the scale of the shutdown.

External corroboration

ANCPI confirms the attack and all-system outage. KELA had already described ByteToBreach as technically capable but strongly self-promotional.

Caution toward claims

User counts, exfiltrated volume and claims of “complete” databases are not accepted without verifiable samples or forensic confirmation.

Harm minimisation

Data archives were not opened. Download links, passwords, personal addresses, accounts and details that could facilitate access are not republished.

Sources and status

What is official, what is analysis, what is a claim

Official

ANCPI — statement of 15 July

Confirms the attack, outage of all systems including email and e‑Terra, and states that data was not compromised.

ancpi.ro ↗
Official

ANCPI — system scale

The homepage reported 28,977,942 managed properties on 13 July 2026.

ancpi.ro ↗
External analysis

KELA — profil ByteToBreach

Describes an operator with real technical activity and often credible claims, but also aggressive marketing and self-promotion.

kelacyber.com ↗
Reporting

Public Record / HotNews / Help Net Security / Profit.ro

They report the sale offer and claims concerning data and source code. HotNews adds, based on an unnamed source familiar with the incident, that authorities are investigating a possible ransom demand. This is not official confirmation.

Hostile claim

Screenshot set attributed to the attacker

Twelve images concerning OpenAM, OpenDJ, WebLogic, WebSphere, GitLab, source code, Zabbix, monitoring, vSphere, Veeam and Active Directory. Links to allegedly stolen archives are not reproduced.

Note

Status on 17 July 2026

New information from ANCPI, DNSC, the data-protection authority or investigators could change this assessment, especially a forensic report or an official data-breach notification.

Final assessment

They probably obtained enough that “the data was not compromised” requires a technical explanation, not merely reassurance.

The most defensible formulation is this: extensive access to infrastructure, code, accounts and credentials is strongly supported; copying some operational data and servers is plausible; complete theft of the national cadastral register is not yet publicly demonstrated.