A declassified report from Romania’s Intelligence Service says that the country’s election infrastructure was targeted by more than 85,000 cyberattacks.Threat actors also obtained access credentials for election-related websites and leaked them on a Russian hacker forum less than a week before the first presidential election round.### Attacks originating from 33 countriesThe Romanian Intelligence Service (SRI) says that on November 19 the IT infrastructure of the country’s Permanent Electoral Authority (AEP) was the target of a cyberattack.The attacker compromised a server with mapping data (gis.registrulelectoral.ro) that was connected to both the public web and the AEP’s internal network.Following this incident, account credentials for Romanian election sites, including [bec.ro](http://bec.ro/) (Central Election Bureau), [roaep.ro](http://roaep.ro/), and [registrulelectoral.ro](http://registrulelectoral.ro/) (voter registration), were leaked on a Russian cybercrime forum.According to SRI, the attacker obtained the logins by either targeting legitimate users or by exploiting vulnerabilities in the training server for operators at voting sections.The Romanian intelligence agency says that the 85,000 attacks continued until November 25th, the night after the first presidential election round, and the goals ranged from gaining access to the election infrastructure and compromising it to altering election information for the public and denying access to the systems.SRI notes in the declassified report that the threat actor tried to breach the systems by exploiting SQL injection and cross-site scripting (XSS) vulnerabilities from devices in more than 33 countries.The agency is also warning that Romania’s election infrastructure is still affected by vulnerabilities that could be exploited to move laterally on the network and establish persistence.### Influence campaignAlthough SRI does not attribute these attacks to a specific threat actor, the agency believes that the modus operandi and resources required for the activity point to a state actor.In another declassified report seen by BleepingComputer, SRI describes an influence campaign targeting the Romanian presidential election, where more than 100 TikTok Romanian influencers with over 8 million active followers were manipulated to distribute election content promoting presidential candidate Calin Georgescu.The influencers received amounts starting from $100 for 20,000 followers, to distribute videos with hashtags describing Georgescu’s presidential profile.Romania’s Ministry of Internal Affairs (MAI) [says](https://www.documentcloud.org/documents/25446826-document-csat-mai/) the visibility of these videos increased sharply starting November 13th and culminated with 9th place in top trending content, with hundreds of millions of views on November 26th.MAI notes that some of the text the influencers distributed for Georgescu’s campaign was the same as the one promoting the pro-Russian presidential candidate in Moldova.SRI says that Georgescu’s campaign benefited from [25,000 TikTok accounts](https://www.documentcloud.org/documents/25446823-document-csat-sri-i/) that became ‘very active’ about two weeks before election day.Almost 800 of these accounts were created in 2016 and were barely active until November 11th, when they started to push Georgescu’s campaign messages.SRI does not specifically point to Russia orchestrating the attacks and the influence campaign but the Romanian Foreign Intelligence Service (SIE) points to an [analysis](https://www.documentcloud.org/documents/25446825-document-csat-sie/) of Russia’s recent history of interference in elections in other countries.SIE notes that Moskow perceives Romania as an enemy state because it provokes and threatens Russia’s security by allowing NATO’s military presence on the eastern flank of the alliance.Along with other eastern countries, Romania is the target of Russia’s effort to influence democratic elections through propaganda and disinformation and by supporting eurosceptics and shaping the public agenda to its interests. ### Related Articles:[US warns of last-minute Iranian and Russian election influence ops](https://www.bleepingcomputer.com/news/security/us-warns-of-last-minute-iranian-and-russian-election-influence-ops/)[Hackers exploit Roundcube webmail flaw to steal email, credentials](https://www.bleepingcomputer.com/news/security/hackers-exploit-roundcube-webmail-flaw-to-steal-email-credentials/)[Palo Alto Networks warns of firewall hijack bugs with public exploit](https://www.bleepingcomputer.com/news/security/palo-alto-networks-warns-of-firewall-hijack-bugs-with-public-exploit/)[New Android spyware found on phone seized by Russian FSB](https://www.bleepingcomputer.com/news/security/new-android-spyware-found-on-phone-seized-by-russian-fsb/)[UK disrupts Russian money laundering networks used by ransomware](https://www.bleepingcomputer.com/news/security/uk-disrupts-russian-money-laundering-networks-used-by-ransomware/)
Related Tags:
NAICS: 923 – Administration Of Human Resource Programs
NAICS: 519 – Web Search Portals
Libraries
Archives
Other Information Services
NAICS: 92 – Public Administration
NAICS: 51 – Information
Blog: BleepingComputer
TA0003 – Persistence
Exploit Public-Facing Application
Associated Indicators:
registrulelectoral.ro
gis.registrulelectoral.ro
bec.ro