Cyber Incident Victim: Government of Moldova
Date:
Jan 2023
Location:
Moldova
Summary
Moldova's government institutions faced a surge of phishing campaigns involving over 1,330 malicious emails impersonating a hosting company to deceive recipients with fraudulent domain expiration notices, prompting security alerts and procedural changes. This incident occurred amid escalating cyber threats targeting the country, including distributed denial-of-service attacks against state systems and politically motivated leaks of alleged private communications, all coinciding with geopolitical tensions following its support for Ukraine during the regional conflict. Cybersecurity authorities did not confirm the attacks' success or attribution but noted a pattern of increased hostile cyber activity linked to the nation's alignment against Russian aggression.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early January 2023, Moldova’s government institutions experienced a significant wave of phishing attacks targeting state services. Hackers sent over 1,330 fraudulent emails to government accounts, with one campaign impersonating the website hosting company Alexhost. These emails falsely claimed that the government’s .md domain had expired and directed recipients to click malicious links leading to counterfeit payment pages designed to harvest credentials or financial information. The Moldovan Information Technology and Cyber Security Service (STISC) publicly disclosed the campaign on January 5, publishing samples of the phishing emails but not confirming whether any accounts were compromised or payments made. Alexhost, whose identity was misused in the scheme, issued a warning on January 2 denying involvement and urging customers to verify invoices before payments. STISC did not attribute the attacks to specific threat actors or confirm the number of affected institutions, leaving the perpetrators’ affiliation—whether nation-state hackers or criminal groups—unclear.
This incident occurred amid a broader escalation of cyberattacks against Moldova following its support for Ukraine after Russia’s invasion. In October 2022, hackers launched distributed denial-of-service (DDoS) attacks against 80 Moldovan state computer systems, though STISC reported limited operational impact. Pro-Russian hacker group Killnet had previously announced a week-long cyber campaign against Moldova in August 2022, aligning with its targeting of other Ukraine-aligned nations. In November 2022, the Moldova Leaks website published purported private Telegram chats of Moldovan politicians, which the government dismissed as fabricated but linked to suspected Russian interference. The cumulative cyber operations coincided with Moldova’s humanitarian response to the war, including sheltering over 645,000 Ukrainian refugees by December 2022. STISC’s public advisories and Alexhost’s procedural changes to invoice verification represented the primary documented responses to the phishing campaign, though no technical containment measures or victim statistics were disclosed.