According to reporting last year by Industrial Cyber, ransomware attacks against industrial organisations increased by 87%, with attackers increasingly targeting OT-adjacent environments rather than control systems directly. Instead of compromising PLCs, ransomware groups are abusing enterprise IT, identity infrastructure, and trusted management systems as the fastest route to operational disruption.

For energy operators, this shift is critical. Oil, gas, and pipeline environments rely on Windows systems, centralised identity, monitoring platforms, and update services to support OT operations. When those systems are compromised, attackers can move from initial access to full operational impact without ever touching core OT controllers.

The recent Conpet incident illustrates this kill chain clearly.

‍

The Conpet Incident: What Is Known

In February 2026, Romania’s national oil pipeline operator Conpet confirmed a ransomware attack. The Qilin group claimed responsibility, alleging the theft of nearly 1TB of internal data.

Public reporting from Hudson Rock indicates the attack likely began weeks earlier with an infostealer infection detected on January 11, 2026, on a computer associated with a Conpet IT employee. The device was described as a personal or side-business system, not a managed corporate endpoint.

Hudson Rock reports that credentials linked to Conpet systems were present on the device and may have been exposed, including access to remote connectivity, monitoring, and update services. Conpet has not confirmed the full technical sequence, and the investigation remains ongoing.

‍

Shadow IT as the Likely Starting Point

In energy environments, ransomware rarely starts inside OT. It usually begins outside formal control.

According to NCIS, shadow IT includes systems and devices used for work that are not managed, monitored, or governed by corporate IT. In energy organisations, this matters because OT does not stand alone. Identity, monitoring, and update systems live in enterprise IT and directly support operations.

The Conpet case points to a personal device being used for work access. That detail matters. Unmanaged devices often lack consistent patching, endpoint protection, and logging. Once credentials are used on them, attackers no longer need to target OT systems directly.

Takeaway: Shadow IT is rarely malicious, but it often creates the conditions ransomware needs to enter energy environments.

‍

Initial Access via Legitimate Credentials

There is no evidence of an OT exploit or perimeter breach. Instead, the likely entry point was valid credentials.

Hudson Rock reports that credentials linked to Conpet systems were present on the infected device. Rather than forcing entry, attackers likely authenticated using real usernames and passwords.

The services referenced, email, monitoring, update platforms, sit in enterprise IT but underpin OT operations. Access here enables lateral movement while blending into normal administrative behaviour. Segmentation offers limited protection once trusted systems are reachable.

Takeaway: This appears to be a credential-based entry path enabled by shadow IT, a common pattern in energy-sector ransomware attacks.

‍

Execution Through Trusted Systems

There is no confirmation of how ransomware was deployed. What follows is a plausible path based on reported access and patterns seen in similar incidents.

Hudson Rock notes exposure of credentials tied to update infrastructure, including WSUS. In industrial environments, these systems are trusted by design and used to distribute software broadly.

If attackers gain control of such systems, malicious code can be delivered as routine operational activity. Disrupting engineering workstations or OT-supporting servers is often enough to halt operations without touching PLCs or controllers.

Takeaway: In energy environments, ransomware deployment can look like business as usual when trusted systems are abused.

‍

Qilin and the Energy Kill Chain

The Conpet incident aligns closely with Qilin’s operating model.

Qilin focuses on sectors where downtime hurts immediately, including energy and manufacturing. Its strength is not technical novelty but discipline: abusing legitimate access, trusted systems, and operational pressure.

Qilin does not need to attack OT directly. It targets the systems OT depends on.

‍

What Energy Leaders Should Take From This

This incident was not caused by a single missed patch or exotic exploit. It failed because trust accumulated quietly on a system outside the normal scope of operation.

A personal device. Legitimate credentials. Routine access. None of this looks dangerous alone. Together, it created operational risk.

For energy organisations, resilience starts long before OT is involved. It depends on how access, devices, and trust are governed across the organisation.

Final thought:
Operational resilience doesn’t begin in the control room. It begins with disciplined control of access, identity, and trust across IT and OT. Get that right, and attacks like this become far harder to execute and far easier to stop early.