Beginning in early August, Check Point Research observed a cyber-enabled disinformation campaign primarily targeting Moldova's government and education sectors. Acting ahead of Moldova's elections on October 20, attackers behind this campaign likely seek to foster negative perceptions of European values and the EU membership process in addition to Moldova's current pro-European leadership, with the intent of influencing the outcome of the upcoming fall elections and national referendum.
Following the start of the Russian-Ukrainian war, Moldova, a former Soviet republic, was granted EU candidate status in 2022. A nationwide referendum will be held on October 20, 2024, simultaneously with the presidential election, to determine whether the constitution should be amended to reflect the citizens' desire for EU membership. Incumbent president Maia Sandu is actively campaigning for EU membership.
In this blog, we analyze the techniques used by the threat actors, whom we track as Lying Pigeon, in their disinformation campaign in Moldova and provide an overview of their different activity clusters in other parts of Europe in the last few years.
According to CERT Polska, the actor they track as APT-UNK2 with substantial overlaps with Lying Pigeon, was also responsible for distributing infostealers in Poland and staging fake websites.
Operation MiddleFloor is an anti-European and anti-government disinformation campaign targeting Moldova that primarily relies on emails to distribute its messages and gathers additional data from its targets. This approach is noteworthy because it diverges from the more common strategies seen in disinformation campaigns, such as the infamous Operation Doppelganger, which created fake versions of news websites and published misleading articles spreading pro-Russian narratives while leveraging social media to reach larger audiences quickly.
By using email-based communications, the operation can directly target individuals. Given the private nature of email, monitoring and counteracting the disinformation effectively becomes more difficult. Emails that seem to originate from trustworthy sources appear more legitimate to recipients, enhancing the credibility of the disinformation and making it easier for individuals to interact with it by clicking links, providing information, or entering personal details -- and engage with the threat actors' infrastructure.
Despite these advantages, the reach of email-based campaigns is limited, as emails rarely go viral compared to content shared on social media platforms. Additionally, the infrastructure behind email communications is more traceable, allowing authorities to track down the sources of disinformation more efficiently and take appropriate action against them.
One of the first waves in this campaign, which occurred in early August 2024, involved the distribution of a fake PDF document aimed at Moldavian civil servants and individuals in state positions.
The document, allegedly sent by the European Commission, outlines the measures and rules that Moldavian officials must comply with once the nation becomes a member of the European Union, including:
While this document is falsified and does not reflect any actual requirements for EU members or candidate countries, the last page provides a fake email address of a genuine EU Commission expert and a feedback form (both hosted on the same malicious domain ):
Another fraudulent document, designed to appear as if it was from the European Public Prosecutor's Office (EPPO), targets Moldovan officials, specifically those in the judicial system:
The document requests personal details and information about the commercial activities of close family members under the guise of adhering to the EU anti-corruption regulations. The data is supposed to be submitted via the form on the attacker-controlled domain impersonating EPPO, . The document is not located on the actual EPPO document repository, does not follow the EPPO document template, and contains grammatical mistakes (such as "august" written in lowercase), indicating an obvious fake.
All the fake forms have very similar code and a similar look.
The HTML of these forms loads an additional script, index.js:
which collects the following data:
It then sends this data in a POST request to and redirects the victim to a "form is successfully submitted" page.
After the data is submitted to the server, it returns a JSON response that indicates the data was successfully sent to a Telegram bot with the name and the title :
The data gathered about the victim's environment is not highly detailed. Still, combined with the personal information provided in the form, it could facilitate more targeted attacks, potentially including drive-by attacks. Threat actors may exploit the victim's vulnerability to spear-phishing campaigns, especially as they have already interacted with the threat actors' infrastructure.
Some other pages of these sites, such as the main page, redirect the visitor to the actual legitimate site but log the visitor's data:
The script is always the same: sha256: ) -
it collects the user-agent, IP address data, and the current URL visited and posts the collected data to :
The response to this request contains yet another JSON message indicating successful interaction, this time with another Telegram Bot:
It is evident that the threat actors have distinct notifications (and distinct Telegram bots) for victims who submitted the form and for any curious users (or researchers) who visit other pages.
In early September, several organizations and institutions in the Republic of Moldova, including those from the education sector, received an email with an alleged "resolution" from the Ministry of Labor and Social Protection, with information about "changes in the migration policy."
Translation of the email:
The attached fake document contains content about "strengthening measures to attract migrants from the Middle East to compensate for the losses on the labor market due to the large migration flow from Moldova." Among other claims, it states that the percentage of migrants in every organization must be at least 30%, that new mosques will be built in every region of the country, and that a simplified process for obtaining citizenship will be implemented for migrants employed by Moldovan companies. Moldovan officials confirmed that the document is fake.
Another troubling issue being exploited by the threat actors is the topic of gas prices for the upcoming winter. In mid-September, an email claiming to be from the Ministry of Energy stated that gas prices would increase and that planned interruptions to the natural gas supply would occur during the winter:
Translation:
The Ministry of Energy already reported this message as disinformation. Despite attempts to make their emails appear legitimate, the threat actors confused the name of the General Secretary of the Ministry of Energy, Andrei Grițco, with that of the State Secretary within the Ministry of Energy, Cristina Pereteatcu.
Among the emails sent by the threat actors, some lacked attachments. One of these emails impersonated a member of the European Commission Cabinets using the spoofed domain and was sent to more than 80 recipients at one of the most prestigious universities in Europe:
The email claims to promote a pro-European message, using the current president, Maia Sandu, as a source of inspiration, but spreads disinformation about European education values and standards. For example, deliberately lowering student grades to encourage academic growth is not accepted in European education policy or discourse. The email also features false restrictions on job opportunities for low-performing students and misleading requirements for working abroad within the EU. All these claims contradict the EU's education policies, prioritizing equity, inclusion, and fairness.
The second wave of disinformation emails targeting employees of education institutions was sent on September 24 from a fake email domain impersonating the Moldovian Ministry of Education and Research. The emails contained PDF titled ("Regarding the approval of the EU Ambassador Program"). The PDF included a picture of the alleged official order from the Ministry, with content primarily focused on topics such as sex education and non-binary genders in context of educational institutions integration into the European Union.
The email mentioned above about European education values was written in English yet contains some structural errors that suggest it was translated from another language. These include phrases such as "has already addressed to you" and "instill tolerance to all genders", which are likely literal translations of those phrases from Russian.
The email's first numbered point, which addresses gender equality, refers to "toilets for the middle floor", a phrase that does not make sense in English. This is a literal translation from the Russian phrase "туалеты для среднего пола", meaning gender-neutral toilets.
Another argument supporting the Russian-speaking origins of Lying Pigeon is the metadata of both PDF documents which are purportedly from European institutions.
Both list for Language metadata, meaning that the document was created using the Russian language local or regional setting. The document metadata lists UTC+3 for the time zone. A segment of the Moldavan population speaks Russian, and in August, the Moldavan time zone corresponds to UTC+3 due to Daylight Saving time; in addition, parts of Russia and Belarus, and some other countries in Eastern Europe, the Middle East, and Africa are located in the UTC+3 time zone.
Over the course of Operation MiddleFloor, the threat actors used a few domain name registrars to register the domains that spoof European and Moldovan entities:
All the domains and IP addresses used in this campaign are interconnected, enabling us to attribute these seemingly different techniques and messages to the same operation.
All the servers used in this campaign can be classified into two categories:
The threat actors use Mailcow, an open-source mail server suite, to host their own servers for anonymity and greater flexibility and to manage and scale their operations.
We determined that this cluster likely belongs to the same threat actors responsible for the MiddleFloor operation due to the following reasons:
Based on these domains and their pivots, we identified a few additional clusters of Lying Pigeon's previous activity. We suspect that those domains that are resolved to specific IP address, have an SPF record an MX record pointing to the same IP, were likely meant to send spoofed emails.
The 32nd formal meeting of the heads of state and governments of the thirty-one members of the North Atlantic Treaty Organization, their partner countries, and the European Union, was held in Vilnius, Lithuania, on July 11-12, 2023. This cluster of domains was observed within a short time frame around the event.
The Spanish general election to elect members of the Congress of Deputies and the Senate, which comprise the country's legislative parliament was held on July 23, 2023. Pivoting on existing domains and IP addresses, this cluster of activity includes the following domains, all of whom existed around the election date:
The last two domains were observed as part of a disinformation campaign discovered by QuoIntelligence. This campaign was targeting Russian-speaking communities in Spain the day before the elections with Telegram messages that linked to a fake website mimicking the website of the Community of Madrid. The fake website contained a warning from the Ministry of Interior about a planned series of attacks by the ETA, a Basque separatist organization. The message encouraged recipients to skip voting in the elections to avoid risking their lives. QuoIntelligence researchers also noted that the campaign used fewer delivery methods (e.g., no email-based vectors or massive social media campaigns) to spread the message. We suspect that the first domain in this cluster, comunicacion-presidencia-gov[.]es, which contains MX records pointing to the mail server at the same time, might have been used for email-based attacks, but as of now do not have any firm evidence.
The Economic Forum took place from September 5-7, 2023, in Karpacz. It attracted over 5,400 participants, including politicians, business leaders, and cultural figures from across Europe and other continents. The Forum featured a wide range of discussions, debates, and special sessions on crucial topics like the economy, security, and the future of Europe.
The CERT Polska report:
CERT Polska reported that the threat actor they track as APT-UNK2 carried out a campaign involving the impersonation of NASK (a Polish research and development organization, data networks operator, and internet domain name registry operator for the .pl country-level top-level domain). The campaign used the domain to distribute emails, which contained an attachment that included a PDF (md5: ) with instructions and a Dropbox link for installing malicious (md5: ). Victims' machines were infected with the Lumma Infostealer.
Other domains that didn't fit the clusters described above:
Some interesting patterns we observed:
The disinformation campaign led by Lying Pigeon represents a significant and ongoing threat to the political stability of the Republic of Moldova, particularly as the campaign seeks to influence the outcomes of both national elections and the EU membership referendum. Our investigation also connected Lying Pigeon to previous election interference activities in Spain in 2023, highlighting their persistent involvement in undermining European democratic processes. Additionally, this group has been active around major European events, such as the NATO summit and the European Economic Forum, likely using these high-profile occasions to further their disinformation efforts.
Beyond their influence operations, Lying Pigeon likely uses their campaigns to distribute infostealer malware and collect sensitive information for future targeted attacks. This dual approach of combining disinformation with information harvesting underscores the sophisticated and multifaceted nature of Lying Pigeon's operations, making them a critical threat actor to monitor in the ongoing struggle to protect democratic integrity and ensure cybersecurity in Europe.