Cyber Incident Victim: Municipality of Oradea
Date:
Jul 2021
Location:
Romania
Summary
A ransomware attack targeted the Municipality of Oradea, disrupting municipal hall operations except for tax and duty collection services. The incident originated from a malicious file inserted into servers, which propagated to infect surrounding files, prompting authorities to disconnect systems, neutralize threats, and inspect databases for further compromise. While officials assured full data recovery via backups, restoration timelines initially remained unclear, temporarily halting document management systems. Operations fully resumed shortly afterward with all data successfully restored.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around July 3, 2021, the Municipality of Oradea in Romania experienced a ransomware attack that disrupted municipal operations. The attack originated from a malicious file inserted into the City Hall servers, which subsequently infected surrounding files. Upon detection, municipal authorities followed protocol by immediately disconnecting the affected systems to contain the spread. This action halted all functions in the "Counter Room" (Pyramid) located on the first floor of the municipal hall, except for the collection of taxes and duties. The city administrator, Mihai Jurca, confirmed the incident and outlined the initial response steps, which included neutralizing infected files and conducting database checks to identify additional compromised data. The municipality publicly announced the cyberattack on July 5, attributing the operational disruptions to ransomware and assuring residents that 100% of data would be recovered through backups. However, officials did not specify the expected restoration timeline, leaving the IDC document management system non-operational during recovery efforts.
The attack forced the temporary suspension of multiple municipal services, affecting public access to standard administrative functions beyond tax collection. As a precaution, the city disconnected the public-facing network within the Pyramid office to prevent further compromise. Restoration efforts focused on validating backup integrity and systematically rebuilding infected systems. By the morning of July 6, the municipality confirmed full recovery of all data and resumption of normal operations in the Pyramid counter room. No data loss occurred due to the successful backup restoration, though the incident caused at least two days of service interruptions. The city issued public apologies for inconveniences but did not disclose technical details about the ransomware variant, attack vectors beyond the initial file insertion, or whether threat actors demanded payment. No evidence suggested data exfiltration or secondary impacts beyond the immediate disruption to municipal workflows.