Romania’s Election Systems Targeted in Over 85,000 Cyberattacks

### #RomanianElections #InfluenceCampaign #CyberEspionage

Summary: The Romanian constitutional court annulled the presidential elections due to a TikTok influence campaign linked to Russia, alongside over 85,000 cyberattacks targeting the country’s election infrastructure. Declassified intelligence reports reveal significant vulnerabilities exploited by threat actors, suggesting state-sponsored interference.

Threat Actor: Unknown State Actor | Russia
Victim: Romanian Electoral Authority | Romanian Electoral Authority

Key Point :

  • Romania’s election infrastructure faced over 85,000 cyberattacks, with compromised credentials leaked on Russian forums.
  • A TikTok influence campaign involved over 100 influencers promoting presidential candidate Calin Georgescu, with content mirroring pro-Russian narratives.
  • The Romanian Intelligence Service indicates that the attacks and influence efforts are likely state-sponsored, reflecting Russia’s historical interference in elections.
  • Vulnerabilities in Romania’s election systems remain, posing ongoing risks for future electoral processes.

Romania's election systems targeted in over 85,000 cyberattacks

Update December 06, 13:40 EST: On Friday, the Romanian constitutional court (CCR) annulled the presidential elections based on information showing the first round of elections was affected by a TikTok influence campaign linked to Russia.


A declassified report from Romania’s Intelligence Service says that the country’s election infrastructure was targeted by more than 85,000 cyberattacks.

Threat actors also obtained access credentials for election-related websites and leaked them on a Russian hacker forum less than a week before the first presidential election round.

Attacks originating from 33 countries

The Romanian Intelligence Service (SRI) says that on November 19 the IT infrastructure of the country’s Permanent Electoral Authority (AEP) was the target of a cyberattack.

The attacker compromised a server with mapping data (gis.registrulelectoral.ro) that was connected to both the public web and the AEP’s internal network.

Following this incident, account credentials for Romanian election sites, including bec.ro (Central Election Bureau), roaep.ro, and registrulelectoral.ro (voter registration), were leaked on a Russian cybercrime forum.

According to SRI, the attacker obtained the logins by either targeting legitimate users or by exploiting vulnerabilities in the training server for operators at voting sections.

The Romanian intelligence agency says that the 85,000 attacks continued until November 25th, the night after the first presidential election round, and the goals ranged from gaining access to the election infrastructure and compromising it to altering election information for the public and denying access to the systems.

SRI notes in the declassified report that the threat actor tried to breach the systems by exploiting SQL injection and cross-site scripting (XSS) vulnerabilities from devices in more than 33 countries.

The agency is also warning that Romania’s election infrastructure is still affected by vulnerabilities that could be exploited to move laterally on the network and establish persistence.

Influence campaign

Although SRI does not attribute these attacks to a specific threat actor, the agency believes that the modus operandi and resources required for the activity point to a state actor.

In another declassified report seen by BleepingComputer, SRI describes an influence campaign targeting the Romanian presidential election, where more than 100 TikTok Romanian influencers with over 8 million active followers were manipulated to distribute election content promoting presidential candidate Calin Georgescu.

The influencers received amounts starting from $100 for 20,000 followers, to distribute videos with hashtags describing Georgescu’s presidential profile.

Romania’s Ministry of Internal Affairs (MAI) says the visibility of these videos increased sharply starting November 13th and culminated with 9th place in top trending content, with hundreds of millions of views on November 26th.

MAI notes that some of the text the influencers distributed for Georgescu’s campaign was the same as the one promoting the pro-Russian presidential candidate in Moldova.

SRI says that Georgescu’s campaign benefited from 25,000 TikTok accounts that became “very active” about two weeks before election day.

Almost 800 of these accounts were created in 2016 and were barely active until November 11th, when they started to push Georgescu’s campaign messages.

SRI does not specifically point to Russia orchestrating the attacks and the influence campaign but the Romanian Foreign Intelligence Service (SIE) points to an analysis of Russia’s recent history of interference in elections in other countries.

SIE notes that Moskow perceives Romania as an enemy state because it provokes and threatens Russia’s security by allowing NATO’s military presence on the eastern flank of the alliance.

Along with other eastern countries, Romania is the target of Russia’s effort to influence democratic elections through propaganda and disinformation and by supporting eurosceptics and shaping the public agenda to its interests.

UPDATE [November 6th]: The Constitutional Court of Romania (CCR), which decides that laws, decrees, and bills are in agreement with the country’s Consitution, cancelled the results of the first round in the presidential election and decided that new elections will be held.

The court’s decision comes after declassified reports from Romanian intelligence services showed Russian interference in the election process through an influence campaign for supporting Georgescu.

Source: https://www.bleepingcomputer.com/news/security/romanias-election-systems-targeted-in-over-85-000-cyberattacks