Multiple Russia-linked influence operations (Operation Overload, Operation Undercut, Foundation to Battle Injustice, Portal Kombat/Pravda MD, MD24, and Ilan Shor–linked Evrazia) are actively pushing anti‑Sandu, anti‑PAS, and anti‑EU narratives ahead of Moldova’s September 28, 2025 parliamentary elections to undermine public trust and discourage pro‑European voting. Insikt Group assesses these IOs have limited evidence of electoral impact so far but pose significant risks to media integrity, diaspora turnout, and information ecosystems via impersonation, deepfakes, inauthentic networks, and coordinated amplification. #OperationOverload #OperationUndercut #PravdaMD
Keypoints
- Multiple Russia-linked IOs (Operation Overload, Operation Undercut, R‑FBI/Foundation to Battle Injustice, Portal Kombat/Pravda MD, MD24, and Ilan Shor–linked Evrazia) are campaigning to discredit President Maia Sandu, PAS, and Moldova’s EU integration ahead of the September 2025 parliamentary elections.
- Operation Overload uses impersonation, fabricated reports, static image manipulation, and deepfakes (including of government spokesperson Daniel Vodă) to create and then falsely rebut inauthentic narratives, targeting journalists and fact‑checkers as amplification vectors.
- R‑FBI (Foundation to Battle Injustice) publishes long‑form forged investigative pieces alleging corruption, trafficking, and secret decrees against Sandu that are laundered through pro‑Kremlin intermediaries (VT, ANR, EADaily) and amplified by influencers.
- Operation Undercut targets Romanian‑speaking Moldovan audiences on TikTok and other platforms with AI‑assisted avatars and hashtag hijacking to condition expectations of rigged elections, stoke war fears, and emphasize economic anxieties.
- Ilan Shor–linked networks and Evrazia operate extensive automated Facebook page clusters and paid Meta advertisements to praise Shor and attack PAS, while MD24 (likely RT‑supported) runs Russian‑language broadcast and social ads to influence Russian‑speaking Moldovans.
- Portal Kombat’s Pravda MD functions as a high‑volume aggregator laundering pro‑Kremlin content into Romanian, raising concerns about poisoning secondary sources and LLMs that ingest open web content.
- Insikt Group recommends monitoring these sources with Recorded Future, archiving content to avoid amplification, strengthening election cyber defenses, and applying content‑filtering for AI systems and takedowns for impersonation.
MITRE Techniques
- [T1499] Endpoint Denial of Service – MD24 and related actors have hosted mirror domains and used distributed infrastructure to sustain content availability and circumvent takedowns (“domains hosted across multiple IPs and mirrors to maintain broadcasting and evade blocks”).
- [T1585] Establish Accounts – Operation Undercut and the Ilan Shor Facebook networks created and used numerous fake or disposable social media accounts and auto‑generated pages (“2,167 auto‑generated Facebook pages… TikTok accounts such as ‘Bella Popescu’ and replacements after suspensions”).
- [T1609] Impair Defenses – IOs disseminated narratives to undermine trust in election integrity and institutions (“attempting to delegitimize Moldova’s electoral integrity by promoting narratives alleging electoral fraud, inflaming tensions regarding diaspora voting”).
- [T1204] User Execution – Operation Overload and Operation Undercut used social media posts and videos (including AI‑generated content) to trick users into engaging with fabricated investigative material (“videos impersonating Deutsche Welle… deepfakes impersonating government spokesperson Daniel Vodă”).
- [T1598] Phishing for Information (Credential Harvesting through messaging) – Operation Overload targeted journalists and fact‑checkers by sending spam‑like story verification requests and falsified leads (“overwhelm journalists, researchers, and fact‑checking organizations with non‑credible leads distributed through persistent, spam‑like story verification requests”).
- [T1593] Search Engine Manipulation – Portal Kombat/Pravda MD scrapes and republishes large volumes of pro‑Kremlin content to appear in open web indices and potentially influence LLMs and secondary sources (“automated news aggregator that systematically scrapes and republishes articles… concerns about poisoning secondary sources, particularly large-language models”).
- [T1202] Indirect Command and Control – Use of third‑party platforms and intermediaries (VT, ANR, influencers) to launder and amplify forged R‑FBI reporting (“R‑FBI is using secondary sources through a network of intermediaries and influencers to launder its investigations, namely via VT and ANR”).
Indicators of Compromise
- [Domain ] MD24 and RT‑affiliated hosting context – moldova24[.]online, moldova-24[.]online, moldova24[.]org, moldova24[.]space (MD24 primary domains).
- [Domain ] Portal Kombat / Pravda MD context – md[.]news-pravda[.]com, moldova[.]news-pravda[.]com (Pravda MD aggregator domains).
- [Domain ] Foundation to Battle Injustice context – fondfbr[.]ru, vtforeignpolicy[.]com (R‑FBI primary site and republishing intermediary).
- [IP address ] Hosting context – 95[.]181[.]226[.]185 and historical RT‑related IP 91[.]218[.]228[.]51 (IP space used to host MD24 and related domains).
- [Email ] Disposable contact used in ads context – jasonrobertson1978[@]antimmail[.]com (contact tied to MD24/Meta political ads).
- [Social account ] Operation Undercut TikTok examples – “Bella Popescu”, “dorinrobu5”, and “Gergely Dezir” (TikTok accounts posting Romanian anti‑PAS content; many suspended and replaced).
- [Social pages ] Ilan Shor Facebook network context – examples of auto‑generated pages like “WealthWave Innovations” and other randomly named pages used for pro‑Shor ads (and 2,164 other similar pages identified by WatchDog.MD).
Read more: https://www.recordedfuture.com/research/russian-influence-assets-converge-on-moldovan-elections