As EU referendum looms, Moldova finds itself in Russian digital army’s crosshairs

Pro-Russian hackers are increasingly targeting Moldovan websites, likely as payback for the country’s support for Ukraine and its attempts to join the European Union.

Since the beginning of March, the Kremlin-aligned threat actor known as NoName057(16) has claimed to have targeted more than 50 websites in Moldova with distributed denial-of-service (DDoS) attacks, according to an analysis by the cybersecurity firm NetScout published earlier this week.

The group says the operations are “retaliation against Moldova’s Russophobic regime.”

According to the NetScout report, several other pro-Russian DDoS hacktivists have also joined the anti-Moldova cyber campaign, claiming credit for attacks across more than 15 industries, with a focus on public services, financial institutions, and media. These groups include HackNeT, KaliHunt/Russia, CyberDragon, and the Cyber Army of Russia. 

The extent and validity of these incidents are hard to verify, as in most cases the only evidence the hacktivists provide are screenshots of allegedly hacked services or reports from the Check Host website, which evaluates the availability and performance of website servers in different countries.

Some targets, however — including Moldova's national public broadcaster, Moldova 1 — confirmed repeated DDoS attacks on its website at the end of April, saying they originated from Russia.

The country’s state officials and independent observers are also voicing concerns about Russian cyber and disinformation campaigns. Moldova’s government spokesperson, Daniel Vodă, said earlier this month that state websites are attacked almost daily.

According to a report by the U.S. Institute of Peace (USIP), the Kremlin’s “hybrid war” aims to manipulate three consequential votes in Moldova this year and next — presidential, parliamentary, and a referendum on joining the European Union.

This year's election is particularly important for Moldova, as its Party of Action and Solidarity jockeys to steer the country politically and economically towards the EU, while promising to root out corruption and Russian interference. For the Kremlin, impeding European integration involves employing influence operations to bolster pro-Moscow politicians, fuel anti-government protests, and incite interethnic discord within the country.

Such interference is not exactly new for the country. Moldovan officials warned in 2022 about fake bomb threats, many of which were sent by email from Russian and Belarusian IP addresses, at over 50 facilities across the country — including the airport, the capital's city council, the Parliament, and various ministries.

That same year, a newly-registered website called Moldova Leaks released private Telegram conversations purportedly involving prominent Moldovan political figures, sparking a political scandal.

The Moldovan president’s office claimed the content of the conversations was fake, but the leak was likely orchestrated by Russia. 

An ultimatum

The current activity in Moldova is a continuation of a surge in cyberattacks over the past two years, likely linked to the country's support of Ukraine during the war. Moldova shares a border with Ukraine and condemns Russia’s invasion.

For Russia, the country is strategically important as Russia dominates Moldova’s Transnistria region, which declares itself independent, through its command of some 1,000 or more troops there, plus intelligence activity and alliances with corrupt local elites. 

Moscow has signaled that Moldova will not get Transnistria back unless it accepts Russian stipulations limiting its independence — including a ban on joining the EU, according to USIP.

A monument to Vladimir Lenin in Tiraspol, the capital of Trasnistria. Credit: Alex Houque via Unsplash

In March, eight pro-Russian hacker groups issued what they called “an ultimatum” to the Moldovan government and its political leaders, demanding that they "stop exerting economic, military-political, and socio-humanitarian pressure on Transnistria." Following this statement, published on the hackers’ Telegram channels, the groups began their DDoS campaign against Moldova.

NoName057(16) seems to have initiated the operation, according to NetScout. The group is known for conducting relatively simple and short-lived DDoS attacks. However, these attacks often manage to achieve the hackers’ goal — disrupting the lives of their victims, even if only for a few minutes.

The group mostly relies on the custom-made DDoSia toolkit to carry out its attacks. According to NetScout’s estimates, NoName057(16) currently leads the field in terms of DDoS attacks by geopolitical hacktivists.

In just the second half of 2023, they claimed to have targeted more than 780 different websites, researchers said.

The infrastructure used by the group can be “extremely resilient and difficult to take down or remediate due to the types of networks where their DDoSia malware code is deployed.”

“It is uncertain if there’s a hidden agenda beyond what the group posted publicly, but at this time we have no expectations of the activity diminishing soon,” NetScout added.

Disinformation

In March, Moldova's national intelligence agency said that Russian disinformation efforts include the “extensive use of social networks,” such as Telegram and TikTok.

Russia has also begun using artificial intelligence to create fake videos featuring local politicians, including Moldova's pro-Western President Maia Sandu.

According to research from last year, Russian disinformation is particularly powerful among Russian speakers, rural residents, and those who live in poverty. This applies to the pro-Russian Gagauzia region, where 40 percent of the population lives below Moldova’s poverty line.

To distance itself from Moscow’s influence, Moldova is trying to bolster cooperation with Western allies, including the U.S. and the U.K. 

In April, the U.S. State Department announced its assistance to Moldovan security forces, including providing advice on defending against cyber threats. The U.S. said that it will also help Moldova to mitigate the negative impacts of foreign disinformation and propaganda.

The U.K. has also pledged to help the country bolster defenses against cyberattacks, propaganda and fake news, offering a £30 million ($37 million) aid package.

“Moldova remains on [the] ‘front line’ of Russia’s disinformation war,” the U.K. government said.