Back to blogs
Thumbnail - Video - Which Threat Actors are Behind DDoS Attacks on Democratic Elections.png

DDoS Attacks on Moldova’s September 2025 Elections: Real-Time Cybersecurity Analysis

Moldova is experiencing an unprecedented cyber assault that represents one of the most intensive, election-related DDoS campaigns ever documented. Let’s look at the events as they unfold, during what may be the most consequential election in Moldova’s recent history.

The cyber offensive reached critical intensity in the final hours before voting began. Government websites of the Republic of Moldova faced over 14 million cyberattack attempts on the night before the parliamentary elections, with Moldova’s Information Technology and Cyber Security Service (STISC) detecting and blocking all attempts.

 

Targeted Disruption of Core Electoral Infrastructure

The targets of the cyberattacks included:

  • Moldova’s Central Electoral Commission website
  • Government cloud service systems and process automation systems
  • Some voting stations abroad

This multi-vector targeting strategy demonstrates operational planning designed to disrupt every critical component of Moldova’s electoral infrastructure simultaneously.

 

Weaponizing Civilian Infrastructure

A particularly concerning development emerged just days before the election. Thousands of Wi-Fi routers in citizens’ homes were hacked prior to or on September 24, according to Viorel Cernauceanu, head of the Police General Inspectorate. This represents a significant endeavour in terms of DDoS planning – i.e., creating a distributed botnet from compromised home networking equipment.

The technical Implications of using compromised routers include:

  • Amplification Factor: Home routers provide distributed attack nodes across Moldova’s entire territory.
  • Attribution Complexity: Using civilian infrastructure creates legal complications for response.
  • Detection & Mitigation Evasion: Traffic appears to originate from legitimate Moldovan IP addresses.
  • Sustained Campaign Capability: Compromised routers can maintain persistent attack capability over extended periods

The defensive response has been effective despite the unprecedented attack scale. All major attacks documented during September 2025 have been successfully detected and neutralized in real-time, suggesting Moldova’s cybersecurity infrastructure has achieved a high level of operational readiness specifically for electoral protection.

 

Hybrid Warfare in Action

This campaign operates as part of a comprehensive hybrid warfare strategy currently unfolding. The technical attacks serve multiple simultaneous objectives:

  • Operational Disruption: Attempting to compromise the technical foundation of democratic participation.
  • Psychological Warfare: Creating uncertainty about electoral system reliability among voters and international observers.
  • Resource Diversion: Forcing cybersecurity teams to focus on defensive operations during critical electoral periods.
  • Narrative Construction: Providing material for questioning electoral legitimacy regardless of technical success or failure.

The selection of targets reveals a sophisticated understanding of Moldova’s electoral ecosystem vulnerabilities, focusing on critical components that ensure the integrity and functionality of the process. The Central Electoral Commission, as the nerve center, requires uninterrupted real-time functionality for election management, while government cloud services form the backend infrastructure that supports multiple electoral processes simultaneously.

Process automation systems, essential for vote counting, tabulation, and result certification, represent another key vulnerability – while overseas voting stations, which capture diaspora votes that historically favor pro-European political positions, are also highly strategic targets.

The campaign demonstrated sophisticated multi-vector coordination, executing simultaneous attacks with precise timing. Most notably, they maintained this persistent offensive for weeks without faltering.

 

Signs Point to a State-Sponsored Actor

It’s clear from the scale and coordination of these attacks that there’s a major organization behind them. You don’t see this level of sophistication without the kind of resources a nation-state can provide.

Think about it: this attack was planned out in advance by hacking routers, then launching perfectly timed attacks on multiple targets at once. What’s especially telling is how the attackers knew exactly which parts of Moldova’s election systems to hit.

 

Lessons for the Global Cybersecurity Community – Validated Defense Strategies

Moldova’s September 2025 response validates several critical defensive approaches

  • Pre-Event Preparation: Extensive advance preparation allows effective response under pressure. Know and test your DDoS defense strategies and protection layers.
  • Real-Time Detection: Advanced monitoring systems enable identification and response to attacks as they develop
  • Multi-Agency Coordination: Coordinated response across government agencies enhances defensive effectiveness

 

Emerging Threat Patterns

The current campaign reveals evolving threat methodologies. We’re seeing a dangerous shift towards the exploitation of civilian infrastructure, where common home routers are being weaponized.

This isn’t a last-minute effort. Advanced attackers lay this groundwork well in advance, quietly building their networks for the right moment. The sheer volume of these modern DDoS attacks is unlike anything we’ve seen before, and their timing is strategically chosen around elections to cause the most damage and instill fear.

 

Recommendations for Electoral Cyber defense

Based on real-time analysis of ongoing operations, several recommendations emerge:

  • Router Security: Civilian networking equipment requires enhanced security protocols and monitoring.
  • Preparation: A proactive approach to DDoS defense. This involves continuously validating that automated DDoS protection solutions are working as intended. Validation can be achieved by running continuous DDoS vulnerability testing on the entire attack surface.
  • Real-Time Response: Detection and mitigation systems must operate automatically at machine speed during peak events. Human response and mitigation vendors SLAs are not acceptable in mass attack scenarios.
  • International Coordination: Cross-border cybersecurity cooperation is essential for effective defense.

 

A New Era of Electoral Cyber Threats

As I write this, Moldova’s parliamentary elections continue under active cyber assault. The nation is currently experiencing one of the most intensive DDoS campaigns ever directed against democratic elections.

The technical success of Moldova’s defensive response represents a significant achievement for democratic cybersecurity. The ability to detect and neutralize attacks in real-time while maintaining full electoral system functionality demonstrates that effective defense against state-sponsored DDoS campaigns is possible with adequate preparation and resources.

However, the strategic implications extend far beyond Moldova’s borders. The September 2025 campaign establishes new baselines for electoral cyber warfare that democratic nations worldwide must prepare to address. The use of compromised civilian infrastructure, the unprecedented attack scale, and the precise timing coordination represent evolutionary advances in electoral cyber threats.

The ultimate test of these defensive measures will be the successful completion of the electoral process and international acceptance of the results. As this analysis is written during ongoing operations, the full scope and final outcome of the September 2025 campaign remain to be determined.

To learn more about reducing the risk of damaging DDoS downtime through continuous DDoS testing, speak with an expert.

 

Skim Summary: Moldova’s 2025 Election DDoS Attacks

  • Election Date: September 28, 2025
  • Situation: Moldova is under a sustained, highly coordinated DDoS attack directly linked to its parliamentary elections.
  • Scale: Over 14 million attack attempts on election infrastructure in one night.
  • Targets: Central Electoral Commission, government cloud services, vote tabulation systems, and overseas voting stations.
  • Tactics: Attackers hacked thousands of home Wi-Fi routers to create a national botnet.
  • Defense: Moldova successfully blocked all major attacks in real time, demonstrating high cyber resilience.
  • Strategic Context: The attack is part of a broader hybrid warfare campaign, combining disruption, psychological tactics, and disinformation.
  • Attribution: Strong indicators point to nation-state involvement due to the attack’s scale, coordination, and precision.
  • Lessons: Moldova’s response highlights the importance of preparation, automation, router security, and international cooperation.
  • Global Implication: Sets a new benchmark for election-related cyberattacks. Democracies must update defense playbooks now.

 

FAQ: DDoS Attacks on Moldova’s 2025 Election

What happened during Moldova’s 2025 election?

Moldova’s digital infrastructure was hit with an intense and sustained DDoS attack, timed to disrupt its parliamentary elections held on September 28, 2025.

What systems were targeted?

Attackers aimed at the Central Electoral Commission website, government cloud systems, election process automation systems, and some overseas voting stations.

How were home routers involved?

Thousands of citizens’ home Wi-Fi routers were hacked and used to launch attacks, making traffic appear local and harder to trace or block.

Was the attack successful?

No. Despite the scale, Moldova’s cybersecurity defenses detected and neutralized the attacks in real time, keeping critical systems operational.

Who is behind the attack?

While attribution is ongoing, the attack’s complexity and coordination strongly suggest it was carried out by a nation-state actor.

Why does this matter globally?

The DDoS campaign introduces new tactics (e.g., exploiting civilian infrastructure) and sets a precedent for future electoral cyber warfare—raising the bar for global election defense.

What can other countries learn from Moldova’s response?

Key takeaways include the need for:

  • Pre-election DDoS readiness testing
  • Automated, real-time mitigation
  • Hardening of civilian infrastructure (e.g., home routers)
  • Cross-border collaboration and intelligence sharing

Is the attack still ongoing?

Yes, as of this writing, the DDoS campaign is still active, even though the elections concluded.

Picture of Amit Morson

Amit Morson

Amit Morson, MazeBolt's VP Services, has over 20 years of experience leading technical support and professional services for Israeli startups. With knowledge and experience in IT and security, Amit has a strong technical understanding of complex tech for enterprises and analytical capabilities regarding business requirements and workflow.
View all posts by Amit Morson

Stay Updated.
Get our Newsletter*

Recent posts