A new disinformation campaign, dubbed “Operation MiddleFloor,” has been observed targeting Moldova ahead of its October elections.
Identified by Check Point Research (CPR), the campaign, which began in August 2024, seeks to influence Moldova’s national referendum on European Union membership by fostering negative views of the EU and the country’s pro-European leadership.
Unlike many other disinformation efforts that rely on social media, Operation MiddleFloor is primarily conducted through emails. These emails contain fabricated documents that appear to be official communications from European institutions or Moldovan government bodies.
Fake Documents and Personal Data Collection
One example included a fake European Commission document suggesting new requirements for Moldova to join the EU, including English exams for civil servants and the mandatory display of LGBT flags in public buildings. These messages are designed to undermine public confidence in Moldova’s EU aspirations.
The attackers, tracked under “Lying Pigeon,” are also gathering personal data through these email scams. Fake forms embedded in the documents request sensitive information, such as IP addresses and personal details, which could set the stage for further targeted cyber-attacks.
Disinformation Exploits Sensitive Political Issues
The disinformation touches on several politically sensitive topics, including gas prices, anti-corruption measures, immigration and LGBT rights. In one case, an email allegedly from Moldova’s Ministry of Energy warned of impending gas price hikes and supply interruptions, creating further anxiety ahead of winter.
The actors behind Operation MiddleFloor are suspected to be aligned with Russian interests. Evidence points to a group of Russian-speaking individuals who have previously been linked to disinformation campaigns across Europe, including the 2023 NATO summit in Lithuania and the Spanish general elections.
Read more on election interference: Cyber Insecurity and Misinformation Top WEF Global Risk List
Moldovan officials have confirmed the falsity of many of these documents and warned citizens of the ongoing campaign.
Authorities have been working to trace the origins of these email-based attacks, which, while less widespread than social media campaigns, present unique challenges due to their private nature.
“Lying Pigeon likely uses their campaigns to distribute infostealer malware and collect sensitive information for future targeted attacks,” CPR warned.
“This dual approach of combining disinformation with information harvesting underscores the sophisticated and multifaceted nature of Lying Pigeon’s operations, making them a critical threat actor to monitor in the ongoing struggle to protect democratic integrity and ensure cybersecurity in Europe.”