Călin Georgescu appears on the Romanian political scene on the evening of November 24. The former system man, with connections to the Foreign Intelligence Directorate, the espionage service of the Ceaușescu regime, wins the first round of the presidential elections with 2.2 million votes.
His victory was a shock because he was not a political leader, was not supported by a party, was not registered in the Romanian electoral campaign tax system, had never been a member of Parliament, and moreover, was unknown to the remaining 14 million voters who did not vote for him.
On November 25, Călin Georgescu was the top search trend in Romania, with interest in him starting to show timidly a week before, otherwise being non-existent.
On December 6, the Constitutional Court of Romania unanimously decided to annul the presidential elections due to repeated violations of electoral law by one of the candidates, namely Călin Georgescu.
The decision of the nine judges was based on the declassification of reports from the secret services, presented in the CSAT on November 28, some of which were revised until December 4 when they were made public.
CSAT announces cyber attacks
Information from official documents reveals that Russia, considering Romania an enemy state, interfered in the electoral process, strongly and illegally promoting a specific candidate - Călin Georgescu.
His imposition was carried out through a complex process, using the social network TikTok, as well as the digital infrastructure built in advance in the online environment and on other digital platforms.
One month after the annulment of the presidential elections, no criminal investigation has been opened against Călin Georgescu following the intelligence service reports; it is unknown whether he will run again or not, while Russia's influence agents in the country and abroad continue to promote him.
On the evening of November 28, four days after the first round of the presidential elections, at the end of the CSAT meeting, the presidential administration issued a statement in which, among other things, emphasized that: "According to the documents presented, the Council members found that there were cyber attacks aimed at influencing the correctness of the electoral process."
"From the analysis of the documents, it also emerged that, by violating electoral legislation, a candidate in the presidential elections benefited from massive exposure due to the preferential treatment that the TikTok platform granted him by not labeling him as a political candidate, namely without obliging him to mark the video campaign materials with the unique identification code assigned by the Permanent Electoral Authority when appointing the financial coordinator agent, an obligation imposed by electoral legislation," the CSAT statement further reads.
STS had no information on cyber attacks
Shortly after the aforementioned document, the Special Telecommunications Service (STS) released a statement that caused astonishment among the public opinion, effectively contradicting the statement made by the presidential administration after the CSAT meeting.
"...neither before nor during the electoral process, STS received information from other entities responsible for cybersecurity regarding cyber attacks taking place," the institution announced.
However, this position has an additional issue, besides the institutional conflict of statements, a subordinate entity contradicts its "chief."
According to the law, STS (Special Communications Service) operates under the authority of CSAT, meaning the country's president.
The conflicting statements on the evening of November 28 led several journalists to request further explanations regarding the fact that CSAT announced "cyber attacks," while STS stated that they "did not receive information" about such attacks.
Several hours later, STS representatives provided additional clarification.
"During the period leading up to the elections and during their conduct, cyber attacks saw a numerical increase and complexity. The most common types of attacks are volumetric (DDoS) attacks aimed at disrupting the infrastructure or services exposed on the Internet. Cyber attacks detected on information infrastructures were blocked at the security equipment level," as stated in the additional declaration made by STS on November 28.
The leadership of the institution responsible for special communications does not participate in CSAT meetings, as per the law, but is under the authority of the Council.
SRI: Electoral process compromised
From the conflicting statements, it appears that during the meeting on November 28, convened by Klaus Iohannis a day before, an atypical method for him, showing urgency, there were divergent opinions at least regarding cyber attacks and their effects on the electoral process conducted by BEC (Central Electoral Bureau) and AEP (Central Electoral Authority).
... a high number of cyber attacks (over 85,000) were identified, targeting the exploitation of vulnerabilities in the information systems supporting the electoral process, in order to gain access...
SRI Report, declassified
The STS leadership also supported in the declassified report on December 4 that the cyber protection of the electoral process was successful.
"During the electoral process, all identified cyber attacks were successfully blocked," as stated in the institution's document, prepared on November 29 and submitted to the CSAT secretariat on December 2.
The entire report compiled by STS and signed by the head of the institution, General Engineer Ionel-Sorin Bălan, details extensively the service's actions regarding the electoral process, the cybersecurity measures implemented, and the protection of data and the voting system.
However, declassified documents show that SRI has a contrary position to STS, stating in its report that the cyber protection of the electoral process was compromised by Russia's actions.
"Through specific methods, on 11/24/2024, SRI obtained data regarding the publication of access credentials associated with bec.ro, roaep.ro and registrulelectoral.ro on certain cybercrime platforms of Russian origin, similar data being identified in a private Telegram channel known for disseminating exfiltrated data from many states, except from the Russian Federation," as stated in the SRI report.
The "access credentials," as termed by the secret service in the document, refer to usernames and passwords that SRI claims were used to infiltrate the digital systems managing the votes.
Description of the attack
On November 19, "a cyber incident targeted and affected the IT&C (online) infrastructure of the AEP (Permanent Electoral Authority), as a result of which cyber attackers compromised a map server (gis.registrulelectoral.ro), connected both externally, to the Internet, and internally to the AEP network," as stated in the SRI report.
Therefore, five days before the first round of the presidential elections, a major breach occurred in the cybersecurity protection of the electoral process, a problem that STS does not acknowledge or assume.
We reiterate that no malfunctions were identified in the operation of the information systems
STS Report, declassified
The situation reveals a major tension between the presidential administration, under whose authority STS operates, and SRI, the intelligence agency asserting in published reports that the institutions responsible for elections were compromised due to cyber attacks at least 5 days before the first round of the presidential elections.
"The attacks in question continued in a sustained manner, including on the day of the elections and the night after the elections (25.11.2024). Information systems from over 33 countries were used to launch the attacks, using advanced anonymization methods to hinder the attribution process," the SRI report also states.
A secret investigation and institutional deadlock
SRI representatives mentioned that a comprehensive investigation is underway, together with STS, to discover the perpetrator of the attack and to determine the level and depth of the damages caused.
It has been over a month since the start of this investigation, and no agency or institution involved has provided details about the progress and results.
"The modus operandi, as well as the scale of the cyber campaign, lead to the conclusion that the attacker has considerable resources, correlated with a modus operandi specific to a state attacker," the SRI report further states.
"At the same time, the AEP infrastructure remains affected by vulnerabilities that, if exploited by attackers, can lead to actions to escalate access within the network and ensure persistence," the intelligence agency further specifies, clearly indicating that the AEP has been compromised and can no longer conduct electoral processes.
None of the findings made by the SRI appear in the STS report, and this situation indicates an institutional deadlock within the defense and security institutions of the country. Such a vulnerability was also exploited by the 'state attacker' who compromised the electoral process in Romania.