Spies and Antennas: The Russian Surveillance Offensive in Chisinau
Quick Hit: July 27, 2023
In the last week multiple investigative stories were reported regarding Russian spying and surveillance in Chisinau. These stories were reported by Russian Investigative outlet “Insider” (operating from exile in Riga) and Moldovan network Jurnal TV. Uncommonly for Moldova they have been picked up in articles in CNN, the BBC and others. This article will take a close look at the various reports and their aftermath.
Moldovan Government hit by Massive Cyber Attack ahead of the EPC Summit
Jurnal TV reported this week that the Moldovan Government suffered a massive cyber attack in the time running up to the European Political Community Summit (EPC) on June 1st. This attack involved intrusions into the networks of Parliament, the Government and the Presidency with a particular focus on the Ministry of Foreign Affairs. It involved the theft of documents, emails and correspondence across all these government bodies including “All the e-mails of dignitaries from the Government and the Presidency were stolen” according to Jurnal TV.
Information around the planning of the summit, as well as government plans to conclude agreements with European partner countries were stolen. 10 days prior to the summit the “Information Technology and Cyber Security Service” discovered the attack. Confidential Jurnal TV sources have reported that the Service has said that the mechanism of attack bears 95% similarity to past work of a hacker group designated by the US as APT29 known as “Cozy Bear.” This group is operated by Russia’s Foreign Intelligence Service SVR. The infiltration was accomplished by hacking into government wifi networks by SVR agents carrying scanning technology in backpacks and standing outside relevant buildings.
Antennas and Spies on the Roof of the Russian Embassy
At the same time as the hacking story, journalists from The Insider and Jurnal TV published a long investigative article on Russian electronic spying and surveillance equipment and personnel in Moldova. The article details an investigation that involved surveilling the roof of the Russian Embassy and other buildings on the compound including the apartment block where the diplomats live. Journalists noted the presence of men on the roof of the building at times coinciding with major events in the country (elections, the EPC summit, etc). Additionally, antenna arrays of various kinds have sprouted like mushrooms on top of embassy buildings where there are now 28 various antennas installed. All Russian embassies in the world have some antennas for electronic surveillance in addition to the 1-2 antennas needed to securely communicate with the Kremlin. But the quantity in Moldova is unprecedented with the next largest number being installed at the Russian Embassy in Brussels which has only 17 antennas.
Here is a rundown of the types of antennas installed and the possible uses reported by the Insider after interviews with experts:
Satellite Dishes - Communications with satellites. Amplifying / intercepting local wifi signals. Intercepting satellite Communications (journalists note the Thuraya sat phone network as a potential target). Also, given the right equipment, they could be used to "determine the location of ships, aircraft and guided missiles."
Yagi-Uda Antennas Arrays - Interception of local radio messages including taxis and police radios.
Broadband disk-cone transceiver antenna (ShDPPA) - 2 way "line of sight” communications up to 100 km. These have the potential to establish connections with residencies (consulates or other Russian government buildings) in Transnistria and Gagauzia. This type of radio antenna is used at all Russian embassies by the GRU (Military Intelligence), SVR and 5th Service FSB
VHF disk-cone antennas “pins” - Used for radio direction finding.
The current signals officer at the embassy is GRU officer Alexander Vasinovich who is regularly seen on the roof adjusting antennas. The Insider notes that his subordinate GRU officer Vitaly Renev, also regularly seen on the roof, has an unpaid 500 rubble parking ticket from 2016. The investigation identified dozens of GRU, SVR and 5th Service FSB officers active at the embassy as far back as 2015. Apparently the GRU manages the antennas on the right side of the building while the SVR manages the antennas on the left.
The Insider journalist behind the investigation, Sergei Kanev, has suggested that one of the antennas may have been used to aid in the guidance of missiles and drones used to attack Ukraine.
Lots and Lots of Spies (and their wives)
The investigation identified a number of GRU and SVR spies infiltrated into Moldova under diplomatic cover beginning the with rise of Igor Dodon as leader of the Socialists and presidential candidate in 2015. Most were specialists in radio intelligence with some specializing in wire tapping and computer hacking. In one example, Alexander Chikurov from GRU military unit 26165 is associated with the hacker group APT28 called “Fancy Bear.” This is the GRU unit responsible for hacking the DNC and Clinton Campaign during the 2016 American elections.
In addition to GRU and SVR rooftop snoopers, the investigation reported that the wives of the various spies make unusually frequent trips back and forth to Moscow. A source with the boarder police said that each of them carry 5-6 flash drives and hard drives in their personal luggage each time. It is speculated that they are exfiltrating intercepted data that is too large to send back via the other communications links.
Outside of the Embassy, SVR spies were reported to have conducted “tours” around Chisinau where they would stop their embassy vans and walk around the Government building, Parliament and SIS Headquarters with small black backpacks on. They would linger until they got a phone call and then move to another similar location. Experts suspect that the backpacks contained wifi snooping devices and they were looking for vulnerable networks. Given the massive hacks mentioned above they apparently found some.
Also this week Romanian cybersecurity officials announced attempts by Russian agents to penetrate government building’s wifi networks in Bucharest. They believe these were attacks by either APT28 or APT29. One spy was arrested.
Reactions and Fallout
Following the release of the investigation the Ministry of Foreign Affairs summoned the Russian Ambassador on July 25th and released the following statement:
“The MFAEI, in cooperation with other competent institutions, analyzes the nature and extent of espionage activities, including the activities of persons mentioned in the [journalistic] investigation. We consider absolutely unacceptable any espionage and foreign interference in the internal affairs of Moldova, which pose a direct challenge and threat to the sovereignty and national security of our state,”
Also commenting on the story President Sandu stated:
"This information is known to our special services. At the appropriate time, they will provide details and offer solutions to this problem"
Following his summoning, the Russian Ambassador made various excuses, saying that the antennas were all installed in the late 90s (a lie), and that most were rusty. He noted that none of them would be necessary if Moldova had better telephone and internet service. A particularly comical statement given Moldova’s incredibly good infrastructure in this area.
Following this meeting, the Ministry of Foreign Affairs announced plans to limit the number of Russian diplomats in the country saying:
“In our opinion, it is very important that the diplomatic services not only of our country, but also of other states are aimed at developing good relations, and not at destabilizing our country. We have agreed with institutions and political decision-makers on the need to limit the number of Russian diplomats accredited in Moldova. This is done so that in Moldova there are fewer people involved in the destabilization of the country,”
22 Russian diplomats and 23 technical staffers have been ordered to leave Moldova by August 15th. The Ministry said that they are not being expelled or declared “persona non-grata” but instead that a decision had been made to move towards diplomatic parity. Russia had around 40 diplomats in addition to technical staff in Chisinau. Moldova has only 6 diplomats in Moscow. The moves will reduce the Russian Embassy to 10 diplomats and 15 technical staff.
Note: These numbers disagree somewhat and various numbers have been reported by local outlets and different ones given by the Russian government. The bottom line is that a huge number of Russian diplomats are being removed.
In a rather tongue and cheek response, Head of the EU Delegation in Chisinau Janis Mazeiks took a photo of himself on the roof of the EU Delegation and posted the following statement:
“Another hot summer day in Chisinau. We checked the roof of the EU Delegation - the air conditioners are working at full capacity, there are no satellite dishes. We have so much work that we don't have time to watch TV,"
The Russian government responded with their usual claims about “unfriendly actions” promises of unspecified retaliation and lots of accusations of “Russophobia,” none of which bear printing here.
So What Happened?
It has been no secret that the Russian government is working hard to destabilize Moldova. It’s also no secret that Chisinau has become one of the new front line cities in the spy-games between Russia, NATO and the EU, especially following the full scale invasion of Ukraine.
What these reports underline is the breadth of attacks and surveillance being leveraged against Moldova. Experts interviewed by Newsmaker noted that Russia has been conducting electronic surveillance from it’s embassies since the cold war. They note that Moldova faces 2 unique vulnerabilities to this. Firstly, all critical government buildings are located very close to the Russian Embassy in downtown Chisinau. Secondly, Moldova most likely lacks sophisticated jamming equipment that would be utilized in a NATO capital. These facts, combined with the sheer amount that they managed to pack onto the roof of their compound, indicates that Russian spies are keeping a very close eye on parts of downtown Chisinau.
In the case of the cyberattacks before the EPC Summit we have on example of these snooping efforts yielding major successes for the Russians. It also says something about Moldova’s cybersecurity situation. APT-28 and APT-29 have attempted break ins to almost every Foreign Ministry in Europe, NATO HQ, the White House and many more places besides. In some cases they succeeded, for example stealing French President Macron and former German Chancellor Merkel’s personal emails. These Russian hacker groups are among the world heavy weight champions of cyberattacks… and Moldova has not traditionally been very focused on cybersecurity.
Back during the Soviet times the KGB utilized specialized phone lines for communications between the various government buildings in Chisinau. These lines were buried in pipes that were filled with gas. Should the pipe be breached, alarms would sound and identify the exact location of the intrusion. Modernly the Moldovan government operates on email, smartphones and normal modern technology. Many people hoped that paranoia of those old security measures was a thing of the past. Now, Moldova is facing a wake-up call, one of many since this war started, that the country has enemies and must better protect itself including in cyberspace.
We’ll be following this story and come back with updates as new information becomes available.
Your post answers questions I had about the possible uses of all these antennae and about how Moldova's geography might make it advantageous for Russian spying during the Ukraine war. I'm a bit worried about their apparent ability to attack individuals locally via sound waves or something; hopefully Western intelligence has figured this out despite news stories to the contrary.
(Also brings to my mind my belief ten years ago that Moldova was already completely electronically transparent to Russia because no one could afford any virus anti-programs on their PCs besides kaspersky's "free" one.)
Excellent coverage as usual Dave. Thank you.
As to the number of Russian "Diplomats" and families to removed; - Russian president Putin has been designated as a war crimes criminal with an international arrest warrant, Russia has been internationally designated as a terrorist state, it has violated international law by invading and prosecuting an illegal war of aggression on Ukraine, it is acting pirates ( an international crime) in international waters in the Black Sea, and, directly for Moldova, funded Ilan Shor to over-through the Moldovan government and has illegally hacked into Moldovan government systems... Why does not Moldova call back any of its diplomats from Russia and then expel all Russian "diplomats, families and spies", and shut down the embassy?