On November 24, when the first round of the presidential elections took place, starting at 8:00 PM, I was invited to the TVR Info studio to comment, alongside other analysts and journalists, on the exit poll results.
Around noon, my wife and I had voted together, noticing a larger presence of law enforcement on the streets compared to other elections, but we didn’t think much of it.
However, in the evening, when I left with my electric scooter towards the public television headquarters, what had been just a feeling until then became a certainty – Bucharest was swarming with police patrols.
On a three-kilometer journey, I counted about four mobile Interior Ministry patrols and three stationed ones, which led me to not take a shortcut by going the wrong way, but to detour slightly and respect the signs.
A week later, during the parliamentary elections, law enforcement was not as present and visible. The differences observed made me realize that on November 24, during the first round of the presidential elections, there was a tense situation that raised the alert level.
Four days after the vote, a CSAT meeting takes place, and a week later, on December 4, the presidential administration declassifies excerpts from the documents presented by intelligence agencies at the Supreme Council of National Defense meeting.
Russian Cyber Crime
"Through specific methods, on 11/24/2024, the SRI obtained data regarding the publication of access credentials associated with <bec.ro>, <roaep.ro>, and <registrulelectoral.ro> on Russian cybercrime platforms," states one of the two declassified SRI reports.
"Similar data was identified within a private Telegram channel known for disseminating data exfiltrated from many states, except Russia," the report further specifies.
The response to the heightened alert observed on November 24 is found in the first paragraph of the SRI report.
Those involved in the promotional campaign of Călin Georgescu demonstrated a very good knowledge of TikTok's security policies and the know-how required to bypass them.
SRI Report, December 4, 2024
The information also indicates that this was the moment when the Romanian Intelligence Service representatives became aware that institutions in the country were under an exceptionally severe external attack.
For those who continue to claim that Russia has not been identified as a hostile actor intervening in the electoral process in Romania, both the SRI and SIE documents provide clear references describing Moscow's actions.
Attack Objectives
"Following the initiated verifications, it was established that the exfiltration was carried out either by targeting legitimate users to whom user/password credentials were distributed, or by exploiting the legitimate training server provided by STS at https://operatorsectie.roaep.ro," as stated in the SRI report.
Intelligence officers use intentionally or unintentionally complex language that is difficult for the public to understand and is not explained in the debates surrounding the crisis caused by the election cancellation.
In other words, the SRI announces that a cyber attack originating from Russia aimed to take control of the server storing electoral information - lists, minutes, results - through two methods:
- deceiving legitimate users through emails (phishing) to steal their passwords;
- rendering the server unusable by sending a huge number of requests to it in a short period of time;
"STS manages the primary sequence related to the voting process: recording voter presence, ensuring the correctness of vote counting by video recording the ballot box opening and vote counting process, as well as centralizing the results," as specified in the SRI report.
Additionally, "the infrastructure sequence managed by AEP serves: real-time display of voter presence, statistics on vote distribution based on various criteria (age categories, gender, urban/rural areas, etc.), as well as providing electoral legislation," as stated in the intelligence agency's document.
The paragraphs above indicate the purpose of the attack, which was to take control of displaying the results on the AEP website, where millions of Romanian citizens were watching the vote count live.
What the report does not mention is to what extent this Russian-launched attack was successful or not.
Significant Resources
It should be noted that on the same day as the CSAT meeting, the Constitutional Court decided to recount the votes from the first round of the presidential elections.
It is mentioned that specific investigations have been initiated together with AEP and STS. As the evaluation regarding the cyber attack is ongoing, there is currently no definitive data on the attacker or the impact on the electoral process.
SRI Report, December 4, 2024
In the context of subsequent events that ultimately led to the cancellation of the presidential elections, and the careful analysis of the declassified documents, it is possible that the CCR decision to recount is also related to the fact that authorities did not know whether Russia's cyber attack was successful or not. If the results published on the website were compromised, and whether the figures displayed matched those manually counted in the polling stations.
"The modus operandi, as well as the scale of the cyber campaign, lead to the conclusion that the attacker has significant resources, correlated with an operating mode specific to a state actor," as stated in the SRI report.
In other words, at the time the information was gathered and compiled, the SRI did not know whether Russia's attack was successful or not. Following the political decisions made, such as the CCR decision to recount, the trend within the CSAT was to consider that the attack caused damage and compromised the electoral process.
Telegram and Discord channels have been identified where coordination and avoidance of platform blocking were discussed, so no direct link was identified between the multiple TikTok accounts used in promoting Călin Georgescu, with the activity taking place from multiple geolocations.
SRI Report, December 4, 2024
Contradictions between SRI and STS
The expression used in the document "the attacker has significant resources" also represents a finding of the weak preparedness regarding cyber defense in Romania, the vulnerabilities of digital communication systems, and the surprise caused by Russia's hostile action to both intelligence services and the government and presidential administration.
Today, we can say - with the data at hand, with the political deadlock, and with the implementation of brutal institutional decisions - that the operation to compromise the electoral process had two main components:
- An action led on social networks, especially on TikTok, aimed at artificially and rapidly increasing support for Călin Georgescu - an action that succeeded. Călin Georgescu was raised to fifth place in the global trends on TikTok, a first for a European election candidate.
- A cyber attack action on STS servers aiming to cause a major disruption in data collection from polling stations, followed by their modification; There is not enough information at this moment about the second action to know what damage it caused and to what extent it succeeded or not.
"The activity of the accounts would have been coordinated by a state actor, who would have used an alternative communication channel for the dissemination of messages on the platform," as stated in the SRI report.
Although neither the current president nor the prime minister officially acknowledge it, the crisis caused by hostile actions from both external and internal sources within Romania's electoral system has been so significant that it has compromised both the Permanent Electoral Authority and the Central Electoral Bureau, institutions whose functioning, leadership, procedures, and cyber protection need to be completely revamped.
But there is another major issue highlighted in declassified reports, a conflict between the SRI and STS, which provided conflicting information, at least during certain phases of the crisis. However, an attempt to decipher this conflict will be made in the next article.