Elisabeth Braw is a senior fellow at the Atlantic Council, the author of the award-winning “Goodbye Globalization” and a regular columnist for POLITICO. Over the past two years, state-linked Russian hackers have repeatedly attacked Liverpool City Council — and it’s not because the Kremlin harbors a particular dislike toward the port city in northern England. Rather, these attacks are part of a strategy to hit cities, governments and businesses with large financial losses, and they strike far beyond cyberspace. In the Gulf of Finland, for example, the damage caused to undersea cables by the Eagle S shadow vessel in December incurred costs adding up to tens of millions of euros — and that’s just one incident. Russia has attacked shopping malls, airports, logistics companies and airlines, and these disruptions have all had one thing in common: They have a great cost to the targeted companies and their insurers. One can’t help but feel sorry for Liverpool City Council. In addition to looking after the city’s half-million or so residents, it also has to keep fighting Russia’s cyber gangs who, according to a recent report, have been attacking ceaselessly: “We have experienced many attacks from this group and their allies using their Distributed Botnet over the last two years,” the report noted, referring to the hacktivist group NoName057(16), which has been linked to the Russian state. “[Denial of Service attacks] for monetary or political reasons is a widespread risk for any company with a web presence or that relies on internet-based systems.” Indeed. Over the past decades, state-linked Russian hackers have targeted all manner of European municipalities, government agencies and businesses. This includes the 2017 NotPetya attack, which brought down “four hospitals in Kiev alone, six power companies, two airports, more than 22 Ukrainian banks, ATMs and card payment systems in retailers and transport, and practically every federal agency,” as well as a string of multinationals, causing staggering losses of around $10 billion. More recently, Russia has taken to targeting organizations and businesses in other ways as well. There have been arson attacks, including one involving Poland’s largest shopping mall that Prime Minister Donald Tusk subsequently said was definitively “ordered by Russian special services.” There have been parcel bombs delivered to DHL; fast-growing drone activity reported around European defense manufacturing facilities; and a string of suspicious incidents damaging or severing undersea cables and even a pipeline. The costly list goes on: Due to drone incursions into restricted airspace, Danish and German airports have been forced to temporarily close, diverting or cancelling dozens of flights. Russia’s GPS jamming and spoofing are affecting a large percentage of commercial flights all around the Baltic Sea. In the Red Sea, Houthi attacks are causing most ships owned by or flagged in Western countries to redirect along the much longer Cape of Good Hope route, which adds costs. The Houthis are not Russia, but Russia (and China) could easily aid Western efforts to stop these attacks — yet they don’t. They simply enjoy the enormous privilege of having their vessels sail through unassailed. The organizations and companies hit by Russia have so far managed to avert calamitous harm. But these attacks are so dangerous and reckless that people will, sooner or later, lose their lives. There have been arson attacks, including one involving Poland’s largest shopping mall that Prime Minister Donald Tusk subsequently said was definitively “ordered by Russian special services.” | Aleksander Kalka/Getty Images What’s more, their targets will continue losing a lot of money. The repairs of a subsea data cable alone typically costs up to a couple million euros. The owners of EstLink 2 — the undersea power cable hit by the Eagle S— incurred losses of nearly €60 million. Closing an airport for several hours is also incredibly expensive, as is cancelling or diverting flights. To be sure, most companies have insurance to cover them against cyber attacks or similar harm, but insurance is only viable if the harm is occasional. If it becomes systematic, underwriters can no longer afford to take on the risk — or they have to significantly increase their premiums. And there’s the kicker: An interested actor can make disruption systematic. That is, in fact, what Russia is doing. It is draining our resources, making it increasingly costly to be a business based in a Western country, or even a city council or government authority, for that matter. This is terrifying — and not just for the companies that may be hit. But while Russia appears far beyond the reach of any possible efforts to convince it to listen to its better angels, we can still put up a steely front. The armed forces put up the literal steel, of course, but businesses and civilian organizations can practice and prepare for any attacks that Russia, or other hostile countries, could decide to launch against them. Such preparation would limit the possible harm such attacks can lead to. It begs the question, if an attack causes minimal disruption, then what’s the point of instigating it in the first place? That’s why government-led gray-zone exercises that involve the private sector are so important. I’ve been proposing them for several years now, and for every month that passes, they become even more essential. Like the military, we shouldn’t just conduct these exercises — we should tell the whole world we’re doing so too. Demonstrating we’re ready could help dissuade sinister actors who believe they can empty our coffers. And it has a side benefit too: It helps companies show their customers and investors that they can, indeed, weather whatever Russia may dream up.

MILAN — Nothing about the sand-colored façade of the palazzo tucked behind Milan’s Duomo cathedral suggested that inside it a team of computer engineers were building a database to gather private and damaging information about Italy’s political elite — and use it to try to control them.   The platform, called Beyond, pulled together hundreds of thousands of records from state databases — including flagged financial transactions and criminal investigations — to create detailed profiles on politicians, business leaders and other prominent figures.  Police wiretaps recorded someone they identified as Samuele Calamucci, allegedly the technical mastermind of the group, boasting that the dossiers gave them the power to “screw over all of Italy.”  The operation collapsed in fall 2024, when a two-year investigation culminated in the arrests of four people, with a further 60 questioned. The alleged ringleaders have denied ever directly accessing state databases, while lower-level operatives maintain they only conducted open-source searches and believed their actions were legal. Police files indicate that key suspects claimed they were operating with the tacit approval of the Italian state.  After months of questioning and plea bargaining, 15 of the accused are set to enter their pleas at the first court hearing in October.   The disclosures were shocking, not only because of the confidentiality of the data but also the high-profile nature of the targets, which included former Prime Minister Matteo Renzi and Ignazio La Russa, co-founder of the ruling Brothers of Italy party and president of the Senate.  The scandal underscores a novel reality: that in the digital era, privacy is a relic. While dossiers and kompromat have long been tools of political warfare, hackers today, commanded by the highest bidder, can access information to exploit decision-makers’ weaknesses — from private indiscretions to financial vulnerabilities. The result is a political and business class highly exposed to external pressures, heightening fears about the resilience of democratic institutions in an era where data is both power and liability.  POLITICO obtained thousands of pages of police wiretap transcripts and arrest warrants and spoke with alleged perpetrators, their victims and officials investigating the scheme. Together, the documents and interviews reveal an intricate plot to build a database filled with confidential and compromising data — and a business plan to exploit it for both legal and illegal means.  On the surface, the group presented itself as a corporate intelligence firm, courting high-profile clients by claiming expertise in resolving complex risk management issues such as commercial fraud, corruption and infiltration by organized crime.   Banca Mediolanum, said it had paid “€3,000 to Equalize to gather more public information regarding a company that could have been the subject of a potential deal, managed by our investment bank.” | Diego Puletto/Getty Images Prosecutors accuse the gang of compiling damaging dossiers by illegally accessing phones, computers and state databases containing information ranging from tax records to criminal convictions. The data could be used to pressure and threaten victims or fed to journalists to discredit them.  The alleged perpetrators include a former star police investigator, the top manager of Milan’s trade fair complex and several cybersecurity experts prominent in Italy’s tech scene. All have denied wrongdoing.  SUPERCOP TURNED SUPERCROOK  When the gang first drew the attention of investigators in the summer of 2022, it was almost by accident.  Police were tracking a northern Italian gangster when he arranged a meeting with retired police inspector Carmine Gallo at a coffee bar in downtown Milan. Gallo, a veteran in the fight against organized crime, was a familiar face in Italy’s law enforcement circles. The meeting raised suspicions, and authorities put Gallo under surveillance — and inadvertently uncovered the gang’s wider operations.  Gallo, who died in March 2025, was a towering figure in Italian law enforcement. He helped solve high-profile cases such as the 1995 murder of Maurizio Gucci — carried out by the fashion mogul’s ex-wife Patrizia Reggiani and her clairvoyant — and the 1997 kidnapping of Milanese businesswoman Alessandra Sgarella by the ‘ndrangheta organized crime syndicate.  Yet Gallo’s career was not without controversy. Over four decades, he cultivated ties to organized crime networks and faced repeated investigations for overstepping legal boundaries. He ultimately received a two-year suspended sentence for sharing official secrets and assisting criminals.  When he retired from the force in 2018, Gallo illegally carted off investigative material such as transcripts of interviews with moles, mafia family trees and photofits, prosecutors’ documents show. His modus operandi was to tell municipal employees to “get a coffee and come back in half an hour” while he photographed documents, he boasted in wiretaps.  Still, Gallo’s work ethic remained relentless. In 2019, he co-founded Equalize — the IT company that hosted the Beyond database — with his business partner Enrico Pazzali, presenting the firm as a corporate risk intelligence company.  Gallo’s years as a police officer gave him a unique advantage: He could leverage relationships with former colleagues in law enforcement and intelligence to get them to carry out illegal searches on his behalf. Some of the information he obtained was then repackaged as reputational dossiers for clients, commanding fees of up to €15,000.  Gallo also cashed in his influence for favors, such as procuring passports for friends and acquaintances. Investigators recorded conversations in which he bragged of sourcing a passport for a convicted mafioso under investigation for kidnapping, who planned to flee to the United Arab Emirates.  The supercop-turned-supercriminal claimed that Equalize had a full overview of Italian criminal operations, extending even to countries like Australia and Vietnam.  When investigators raided the group’s headquarters, they found thousands of files and dossiers spanning decades of Italian criminal and political history. The hackers even claimed to have — as part of what they called their “infinite archive” — video evidence of the late Prime Minister Silvio Berlusconi’s so-called bunga bunga parties, which investigators called “a blackmail tool of the highest value.”   Enrico Pazzali cultivated close ties to right-wing politicians, including Attilio Fontana, president of the Lombardy region, and maintained a close association with high-level intelligence officials. | Alessandro Bremec/Getty Images Gallo’s sudden death of a heart attack six months into the investigation stirred unease among prosecutors. They noted that while an initial autopsy found no signs of trauma or injection, the absence of such evidence does not necessarily rule out interference. Investigators have ordered toxicology tests.  ‘HANDSOME UNCLE’  Gallo’s collaborator Pazzalli, a well-known businessman who headed Milan’s prestigious Fondazione Fiera Milano, the country’s largest exhibition center, was Equalize’s alleged frontman.  Pazzali, through his lawyer, declined to comment to POLITICO about the allegations.  The Fiera, a magnet for money and power, made Pazzali a heavy hitter in Milanese circles. Having built a successful career across IT, energy and other sectors, and boasting a full head of steely gray hair, he was known to some by the nickname “Zio Bello,” or handsome uncle.   Pazzali cultivated close ties to right-wing politicians, including Attilio Fontana, president of the Lombardy region, and maintained a close association with high-level intelligence officials. He would meet clients in a chauffeur-driven black Tesla X, complete with a blue flashing light on the roof — the kind typically reserved for high-ranking officials.  Since 2019, Pazzali held a 95 percent stake in Equalize. If Gallo’s role was sourcing confidential information, Pazzali’s was winning high-profile clients, the prosecutors allege. Leveraging his reputation and political connections, he helped secure business from banks, industrial conglomerates, multinationals, and international law firms, including pasta giant Barilla, the Italian subsidiary of Heineken, and energy powerhouse Eni.   Documents show that Eni paid Equalize €377,000. Roberto Albini, a spokesperson for the energy giant, told POLITICO that the firm had commissioned Equalize “to support its strategy and defense in the context of several criminal and civil cases.” He added that Eni was not aware of any illegal activity by the company.  Marlous den Bieman, corporate communications manager for Heineken, said the brewer had “ceased all collaboration with Equalize and is actively cooperating with authorities in their investigation of the company’s practices.”  Barilla declined to comment.  Italy’s third-largest bank, Banca Mediolanum, said it had paid “€3,000 to Equalize to gather more public information regarding a company that could have been the subject of a potential deal, managed by our investment bank.” The bank added, “Of course we were not aware that Equalize was in general conducting its business also through the adoption of illicit procedures.”  The group’s reach extended beyond Italy. In February 2023, it was hired by Israeli state intelligence agents in a €1 million operation to trace the financial flows from the accounts of wealthy individuals to the Russian mercenary network Wagner. In exchange, the Israelis promised to hand over intelligence on the illicit trafficking of Iranian gas through Italy — a commodity that, they suggested, might be of interest to Equalize’s client, the energy giant Eni.  Equalize rapidly grew into a formidable private investigation operation. Police reports noted that Pazzali recognized data as “a weapon for enormous economic and reputational gains,” adding, “Equalize’s raison d’être is to provide … Pazzali with information and dossiers to be used for the achievement of his political and economic aims.”  During the 2023 election campaign for the presidency of the Lombardy region, Pazzali ordered dossiers on close affiliates of former mayor of Milan, Letizia Moratti, who was challenging his preferred candidate, the far-right Fontana.  Prime Minister Matteo Renzi warned of a deeper political risk associated with the gang. | Vincenzo Nuzzolese/Getty Images A spokesman for Fontana called the allegation “science-fiction” and said “nothing was offered to the president of the region, he did not ask for anything, and he certainly did not pay anything.”   In 2022, Pazzali was in the running to manage Italy’s 2026 Winter Olympics as chief executive. Wiretaps suggested he ordered a dossier on his competitor, football club AC Milan’s Chairman Paolo Scaroni, but found nothing on him.  Business was booming, but Pazzali and Gallo were thinking ahead. They had become reliant on cops willing to leak information, and those officers could be spooked — or caught in the act. That was a vulnerability.  They started to envisage a more sophisticated operation: a platform that collated all the data the group had in its possession and could generate the prized dossiers with the click of a button, erasing the need for bribes and cutting manpower costs — a repository of high-level secrets that, once operational, would give Pazzali, Gallo, and their team unprecedented power in Italy.  Pazzali declined to comment on the investigation. He is due to plead before a judge at a preliminary hearing in October. ‘THE PROFESSOR’ AND THE BOYS   Enter Samuele Calamucci, the coding brain of the operation.  Calamucci is from a small town just outside Milan, and before he began his career in cybersecurity, he was involved in stonemasonry.   Unlike his partners Gallo and Pazzali, Calamucci wasn’t a known face in the city — and he had worked hard to keep it that way. He ran his own private investigation firm, Mercury Advisor, from the same offices as Equalize, handling the company’s IT operations as an outside contractor.  Calamucci knew his way around Italian government IT systems, too. In wiretapped conversations, he claimed to have helped build the digital infrastructure for Italy’s National Cybersecurity Agency and to have worked for the secret services’ Department of Information for Security.  Known within the gang as “the professor,” Calamucci’s role was to recruit and manage a team of 30 to 40 programmers he called the ragazzi — the boys.  With his best recruits he began to build Beyond in 2022, the platform designed to be the digital equivalent of an all-seeing eye.  To populate it, Calamucci and his team purchased data from the dark web, exploited access through government IT maintenance contracts and siphoned intelligence from state databases whenever they could, prosecutors said.  Beyond gave Pazzali, Gallo, and their gang a treasure trove of compromising information on political and business figures in a searchable platform. Wiretaps indicated the plan was to sell access via subscription to select clients, including international law firm Dentons and some of the Big Four consultancies like Deloitte, KPMG, and EY. | Aleksander Kalka/Getty Images In one police-recorded conversation, Calamucci boasted of a hard drive holding 800,000 dossiers. Through his lawyer, Calamucci declined to comment.  “We all thought the requested reports served the good of the country,” said one of the hackers, granted anonymity to speak freely. “Ninety percent of the reports carried out were about energy projects, which required open-source criminal records or membership in mafia syndicates, given that a large portion concerned the South.” Only 5 percent of the jobs they carried out were for individuals to conduct an analysis of enemies or competitors, he added.  The hackers were also “not allowed to know” who was coming into Equalize’s office from the outside. Meetings were held behind closed doors in Gallo’s office or in conference rooms, the hacker told POLITICO, explaining that the analysts were unaware of the company’s dynamics and the people it associated with.  Beyond gave Pazzali, Gallo, and their gang a treasure trove of compromising information on political and business figures in a searchable platform. Wiretaps indicated the plan was to sell access via subscription to select clients, including international law firm Dentons and some of the Big Four consultancies like Deloitte, KPMG, and EY.  Dentons declined to comment. Deloitte and EY did not respond to a request for comment. Audee Van Winkel, senior communication officer for KPMG in Belgium, where one of the alleged gang members worked, said the consultancy did not have any knowledge or records of KPMG in Belgium working with the platform.   ‘INTELLIGENCE MERCENARIES’  In Italy’s sprawling private investigation scene, Equalize was a relative newcomer. But Gallo, Pazzali and their associates had something going for them: They were well-connected.  One alleged member of the organization, Gabriele Pegoraro, had worked as an external cybersecurity expert for intelligence services and had previously made headlines as the IT genius who helped capture a fugitive terrorist.  Pegoraro said he “carried out only lawful operations using publicly available sources” and “was in the dark about how the information was used.”  According to wiretaps, Calamucci and Gallo had worked with several intelligence agents to provide surveillance to protect criminal informants.   On one occasion, Calamucci explained to a subordinate that the relationship with the secret services “was essential” to continue running Equalize undisturbed. “We are mercenaries for [Italian] intelligence,” he was heard saying by police listening in on a meeting with foreign agents at his office.   The services also helped with data searches for the group and created a mask of cover for the gang, prosecutors believe. A hacker proudly claimed that Equalize had even received computers handed down from Italy’s foreign intelligence agency, while law enforcement watched from bugs planted in the ceiling.  THE PROSECUTION  In October 2024, the music stopped.  Prosecutors placed four of the alleged gang members, including Gallo and Calamucci, under house arrest and another 60 people under investigation. They brought forward charges including conspiracy to hack, corruption, illegal accessing of data and the violation of official secrets.  Franco Gabrielli, a former director of Italy’s civil intelligence services, warned that even the toughest of sentences are unlikely to put an end to the practice. | Alessandro Bremec/Getty Images “Just as the Stasi destroyed the lives of so many people using a mixture of fabricated and collected information, so did these guys,” said Leonida Reitano, an Italian open-source investigator who studied the case. “They collected sensitive information, including medical reports, and used it to compromise their targets.”  News of what the gang had done dropped like a bombshell on Italy’s political class. Foreign Minister Antonio Tajani told reporters at the time that the affair was “unacceptable,” while Interior Minister Matteo Piantedosi warned the parliament that the hackers were “altering the rules of democracy.”  The Equalize scandal “is not only the most serious in the history of the Italian Republic but represents a real and actual attack on democracy,” said Angelo Bonelli, MP and member of the opposition Green Europe.  Prime Minister Renzi warned of a deeper political risk associated with the gang. “It is clear that Equalize are very close to the leaders of the right-wing parties, and intended to build a powerful organization, although it is not yet certain how deep an impact they had,” he told POLITICO. Renzi is seeking damages as a civil plaintiff in the eventual criminal trial.  Equalize was liquidated in March, and some of the alleged hackers have since taken on legitimate roles within the cybersecurity sector.  There are many unresolved questions around the case. Investigators and observers are still trying to determine the full extent of Equalize’s ties to Italian intelligence agencies, and whether any clients were aware of or complicit in the methods used to compile sensitive dossiers. Interviews with intelligence officials conducted during the investigation were never transcribed, and testimony given to a parliamentary committee remains classified. Police documents are heavily redacted, leaving the identities of key figures and the full scope of the operation unclear.  While Equalize is unprecedented in its scale, efforts to collect information on political opponents have “become an Italian tradition,” said the political historian Giovanni Orsina. Spying and political chicanery during and after the Cold War has damaged democracy and undermined trust in public institutions, made worse by a lethargic justice system that can take years if not decades to deliver justice.   “It adds to the perception that Italy is a country in which you can never find the truth,” Orsina said.  Franco Gabrielli, a former director of Italy’s civil intelligence services, warned that even the toughest of sentences are unlikely to put an end to the practice. “It just increases the costs, because if I risk more, I charge more,” he said.   “We must reduce the damage, put in place procedures, mechanisms,” he added. “But, unfortunately, all over the world, even where people earn more there are always black sheep, people who are corrupted. It’s human nature.” 

BRUSSELS — First it was telecom snooping. Now Europe is growing worried that Huawei could turn the lights off. The Chinese tech giant is at the heart of a brewing storm over the security of Europe’s energy grids. Lawmakers are writing to the European Commission to urge it to “restrict high-risk vendors” from solar energy systems, in a letter seen by POLITICO. Such restrictions would target Huawei first and foremost, as the dominant Chinese supplier of critical parts of these systems. The fears center around solar panel inverters, a piece of technology that turns solar panels’ electricity into current that flows into the grid. China is a dominant supplier of these inverters, and Huawei is its biggest player. Because the inverters are hooked up to the internet, security experts warn the inverters could be tampered with or shut down through remote access, potentially causing dangerous surges or drops in electricity in Europe’s networks. The warnings come as European governments have woken up to the risks of being reliant on other regions for critical services — from Russian gas to Chinese critical raw materials and American digital services. The bloc is in a stand-off with Beijing over trade in raw materials, and has faced months of pressure from Washington on how Brussels regulates U.S. tech giants. Cybersecurity authorities are close to finalizing work on a new “toolbox” to de-risk tech supply chains, with solar panels among its key target sectors, alongside connected cars and smart cameras. Two members of the European Parliament, Dutch liberal Bart Groothuis and Slovak center-right lawmaker Miriam Lexmann, drafted a letter warning the European Commission of the risks. “We urge you to propose immediate and binding measures to restrict high-risk vendors from our critical infrastructure,” the two wrote. The members had gathered the support of a dozen colleagues by Wednesday and are canvassing for more to join the initiative before sending the letter mid next week.   According to research by trade body SolarPower Europe, Chinese firms control approximately 65 percent of the total installed power in the solar sector. The largest company in the European market is Huawei, a tech giant that is considered a high-risk vendor of telecom equipment. The second-largest firm is Sungrow, which is also Chinese, and controls about half the amount of solar power as Huawei. Huawei’s market power recently allowed it to make its way back into SolarPower Europe, the solar sector’s most prominent lobby association in Brussels, despite an ongoing Belgian bribery investigation focused on the firm’s lobbying activities in Brussels that saw it banned from meeting with European Commission and Parliament officials. Security hawks are now upping the ante. Cybersecurity experts and European manufacturers say the Chinese conglomerate and its peers could hack into Europe’s power grid.  “They can disable safety parameters. They can set it on fire,” Erika Langerová, a cybersecurity researcher at the Czech Technical University in Prague, said in a media briefing hosted by the U.S. Mission to the EU in September.  Even switching solar installation off and on again could disrupt energy supply, Langerová said. “When you do it on one installation, it’s not a problem, but then you do it on thousands of installations it becomes a problem because the … compound effect of these sudden changes in the operation of the device can destabilize the power grid.”  Surges in electricity supply can trigger wider blackouts, as seen in Spain and Portugal in April. | Matias Chiofalo/Europa Press via Getty Images Surges in electricity supply can trigger wider blackouts, as seen in Spain and Portugal in April. Some governments have already taken further measures. Last November, Lithuania imposed a ban on remote access by Chinese firms to renewable energy installations above 100 kilowatts, effectively stopping the use of Chinese inverters. In September, the Czech Republic issued a warning on the threat posed by Chinese remote access via components including solar inverters. And in Germany, security officials already in 2023 told lawmakers that an “energy management component” from Huawei had them on alert, leading to a government probe of the firm’s equipment. CHINESE CONTROL, EU RESPONSE  The arguments leveled against Chinese manufacturers of solar inverters echo those heard from security experts in previous years, in debates on whether or not to block companies like video-sharing app TikTok, airport scanner maker Nuctech and — yes — Huawei’s 5G network equipment. Distrust of Chinese technology has skyrocketed. Under President Xi Jinping, the Beijing government has rolled out regulations forcing Chinese companies to cooperate with security services’ requests to share data and flag vulnerabilities in their software. It has led to Western concerns that it opens the door to surveillance and snooping. One of the most direct threats involves remote management from China of products embedded in European critical infrastructure. Manufacturers have remote access to install updates and maintenance. Europe has also grown heavily reliant on Chinese tech suppliers, particularly when it comes to renewable energy, which is powering an increasing proportion of European energy. Domestic manufacturers of solar panels have enough supply to fill the gap that any EU action to restrict Chinese inverters would create, Langerová said. But Europe does not yet have enough battery or wind manufacturers — two clean energy sector China also dominates. China’s dominance also undercuts Europe’s own tech sector and comes with risks of economic coercion. Until only a few years ago, European firms were competitive, before being undercut by heavily subsidized Chinese products, said Tobias Gehrke, a senior policy fellow at the European Council on Foreign Relations. China on the other hand does not allow foreign firms in its market because of cybersecurity concerns, he said. The European Union previously developed a 5G security toolbox to reduce its dependence on Huawei over these fears. It is also working on a similar initiative, known as the ICT supply chain toolbox, to help national governments scan their wider digital infrastructure for weak points, with a view to blocking or reduce the use of “high-risk suppliers.” According to Groothuis and Lexmann, “binding legislation to restrict risky vendors in our critical infrastructure is urgently required” across the European Union. Until legislation is passed, the EU should put temporary measures in place, they said in their letter.  Huawei did not respond to requests for comment before publication. This article has been updated.

LONDON — Late last month, British intelligence, alongside allies like the United States, called out government-linked Chinese companies for a global campaign of cyber attacks. It was the latest step in a decade-long diplomatic dance. Britain only attributes cyber attacks to four countries: Iran, Russia, North Korea and China — known as the “Big Four.” Three are deemed hostile states, and Britain has an uneasy relationship with the latter. But these are are not the only countries that hack, sell hacking technology, or turn the other cheek to groups breaching devices and infrastructure in the U.K. Some are allies — but they have their blushes spared. Calling out allies in public remains a risky move when ministers and officials are in a race to sign trade deals and strengthen relations across the globe. At the same time, Britain is trying to place itself at the forefront of efforts to hold back the spyware arms race, as countries look to buy commercial cyber expertise and technology to hack neighbors, enemies and partners. This leaves Britain increasingly at odds with the U.S., which is now looking to utilize spyware it had previously blocked. POLITICO spoke to cybersecurity and intelligence figures from inside the U.K. government and the private sector to map which of Britain’s strategic allies are involved in the proliferation of cyber attacks — and how the U.K. is struggling to clamp down on a lucrative global industry. Some were granted anonymity to speak about sensitive national security matters. FLOODGATES OPEN In 2013, Edward Snowden, a former contractor for America’s National Security Agency (NSA), blew open the previously secretive world of Western digital surveillance and hacking. In leaking thousands of classified documents, he revealed that the Five Eyes intelligence partnership — which includes Britain and America — had spied on allies including France, Germany, the EU and the United Nations. In the decade since, other nations have been playing catch-up, with tech companies providing the ammunition for states wanting to rival Western nations that had been hacking for years. As the rest of the world started hacking back, Britain’s allies took the unprecedented step of calling out those it suspected of committing cyber attacks against them. In 2014, the Barack Obama administration in the U.S. put its head over the parapet to attribute a cyber attack to China. “The first time we were told about the U.S. attribution of 2014, privately the British government thought the Americans had gone mad and that it was really risky,” one former senior intelligence official told POLITICO. In 2013, Edward Snowden, a former contractor for America’s National Security Agency (NSA), blew open the previously secretive world of Western digital surveillance and hacking. | Jörg Carstensen/Picture Alliance via Getty Images “[It was thought] it wouldn’t achieve anything and it might get us into trouble and that they [China] might start arresting people. As it turns out, the Americans were right and we were wrong,” they said, adding: “I don’t think there’s a shred of evidence that any Western country has come to any harm as a result of attribution.” It took Britain until 2018 to start pointing the finger publicly — this time at Russia — while countries such as France did not take this step until earlier this year. The U.K.’s process for attribution involves a two-step judgment, whereby intelligence officials prepare an assessment for a minister when a cyber attack is thought, to a very high degree of confidence, to have come from a nation threat. It is then up to the minister to publicly call out the activity or not. The rationale for naming the origin of an attack is, in part, a comms exercise: “If you’re representing the British government in public and there’s been a major nation state cyber attack, and you’re not prepared to say who it was, then you look either incompetent or duplicitous,” the same former intelligence official said. They noted that although the Russians “don’t seem to care” whether Britain publicly calls them out, China does. “Let’s say, for example, that things were pretty tense with China, and we wanted to de-escalate — we might choose not to do an attribution purely for policy reasons.” Earlier this year in Manchester, officials from Britain’s National Cyber Security Centre (NCSC) — an arm of the GCHQ digital intelligence agency — were asked in a briefing whether there are nation state threats outside of the Big Four that Britain now sees as a developing threat. After a deep pause, one senior NCSC official replied in the affirmative. “Obviously states do procure capability and there are other state threats out there,” they said. “It would be odd if I said there weren’t.” They declined, however, to name any of these states. ‘EVERYONE’S PRETTY SURE IT EXISTS’ Though cyber activity from the Big Four is thought to make up the majority of hostile activity in Britain, it’s not the full picture. “That these four are the only ones that are repeatedly attributed is, for me, a real problem,” said James Shires, a cybersecurity academic and researcher, adding: “That means that most of the public conversation implies that those are the only actors, and that’s just not the case.” In fact, close allies make up some of these cyber powers, with leaked information often stepping in to fill the information void. In the 2010s, researchers claimed to have traced a piece of malware known as “Babar” back to French intelligence, while a hacking group called Careto was thought to have been linked to the Spanish government. “When you have allied, friendly, non-intelligence partnership states that you have good diplomatic relations with doing this kind of activity, there’s no way they’re going to be publicly outed,” Shires added. Hacking and cyber intrusion has uses for the Big Four beyond simply snooping on Britain and its allies. Backdoors into government and commercial networks can provide key information about dissidents, activists and political opponents who have fled a regime — and these four states are not the only ones with overseas critics. India, though a sometimes close ally of Britain, has been called out for its cyber activity by Canada, Britain’s intelligence partner in the Five Eyes partnership. Last year, Canada’s spy agency accused India of tracking and surveilling activists and dissidents, as well as stepping up attacks against government networks. This year it went further and accused India of foreign interference. Britain’s approach to India has been different, choosing diplomacy with joint schemes like a Technology Security Initiative. Lindy Cameron — the former head of the NCSC — has been placed as the British High Commissioner to India. In the Middle East, Israel has become one of the most prominent players in international espionage, with cyber a core component of its intelligence arsenal.  Though it has long avoided admitting it has conducted offensive cyber operations, researchers have suggested Israel played a role in hacking the venue for Iran’s nuclear negotiations. More recently, the conflict with Iran has given the world a glimpse into the capabilities of the Israeli state and state-aligned hacktivist groups. “For Israeli cyber espionage in the U.K., it’s one of those things where everyone’s pretty sure it exists, but there’s no clear indication of it,” Shires said. A 2022 report by the Citizen Lab research centre in Canada claimed that between 2020 and 2021 there were multiple infections of “Pegasus” spyware — created and sold by the Israeli company NSO Group — on U.K. government devices. | Omar Marques/Getty Images The same former intelligence official quoted previously said that “even in the current circumstances” of tricky relations with Israel, it would be “improbable to foresee a British government attributing a cyber operation” to them. They added that though Canada accused India of interference, Britain would have to “judge that case and its merits” for any similar activity in U.K. cyberspace. Despite the emergence of new top-level cyber nations, experts told POLITICO that the main driver for future threats to the security of U.K. citizens and infrastructure comes from the private sector, through the selling of sophisticated spyware technology. Shires said: “The big concern from the U.K. is not just cyber operations run directly by states. It’s not just which state has developed their own internal capability, but where they are relying on third parties to deliver that for them.” He noted that spyware companies have given rise to a “far wider set of states having access to capabilities because they don’t need to make the investment to develop their own internal capabilities, they can buy in a point, click and compromise service that they can then use to target whoever they want.” Melissa DeOrio, who leads cyber threat intelligence at cybersecurity and corporate intelligence consultancy S-RM, added: “It is very challenging to know exactly what capabilities lie in what countries, which are independent actors hacking of their own volition for financial opportunity, versus what activity is done either in favor of the state or ignored by the state and enabled by them in some way.” POINT, CLICK, COMPROMISE An explosion in hacking technology from private companies with explicit or implied state backing means the threat to countries — including Britain — can be harder to pinpoint. Sophisticated attacks are no longer just the domain of countries with established cyber capability. Britain’s NCSC has previously revealed that at least 80 countries have purchased commercial spyware — although it did not name them. Last year, researchers at the Atlantic Council think tank mapped spyware vendors around the world, covering 42 different countries and 435 entities in its data set. They identified three major clusters in Israel, India and Italy. Jen Roberts, associate director of the Cyber Statecraft Initiative at the Atlantic Council, told POLITICO: “All three of these jurisdictions have pretty permissive environments with more or less state involvement in some fashion. The Indian cluster is the most common for a ‘hack-for-hire’ market. The Italian cluster has the oldest history of spyware. The Israeli cluster is the biggest chunk and probably the most well known, and most capable. “The U.S. and the U.K. are two of the largest investors into this market, but a lot of these firms often target diplomats and citizens of the U.S. and the U.K.” Nayana Prakash, a research fellow at the Chatham House think tank, said a “large pool of very talented tech professionals, very low labor costs and big underground market for hacking services” has meant that “there’s loads of things in India that you can get done if you know the right people.” “For groups to thrive in a country like India, or Russia, there has to be some level of the state being somewhat lax in enforcing certain laws,” she added. Shires added: “These companies would say their technology is always for national security, law enforcement and serious crime purposes. Their opponents will say this generally turns out to be journalists, dissidents and political opposition.” A 2022 report by the Citizen Lab research centre in Canada claimed that between 2020 and 2021 there were multiple infections of “Pegasus” spyware — created and sold by the Israeli company NSO Group — on U.K. government devices. These included people in both Downing Street and the Foreign Office, with operators of the spyware linked to the UAE, India, Cyprus and Jordan. The Council of Europe said Pegasus is known to have been sold to at least 14 EU countries. It took Britain until 2023 to call this out. “There’s a lot of hesitance against attribution, because it’s such a big step, and because it throws your cards on the table,” Chatham House’s Prakash said. NSO has long asserted that its technology is sold “for the sole purpose of fighting crime and terror.” STOPPING THE ARMS RACE In February, France and Britain convened a high-level meeting in Paris. It was the second such meeting to discuss the Pall Mall Process — an international effort led by the two nations which aimed at clamping down on the “proliferation and irresponsible use” of spyware and other commercial cyber intrusion capabilities. It established a code of practice and a joint declaration for countries that signed up to it — but it remains a voluntary scheme with limited engagement from the same threats it is seeking to curtail. The 24 countries that have signed up to its code of practice do not include Israel, India or nations such as the UAE that have been accused of using spyware irresponsibly. Similarly, none of the major spyware vendors are represented. A summary report by the organisers ahead of the meeting — emblazoned with “NOT UK/FRANCE GOVERNMENT POLICY” — spoke of the risks of the sector without highlighting any country or company involved in the use of spyware. The same former U.K. intelligence figure quoted earlier said that managing to get two permanent members of the United Nations Security Council to host a major event on the issue is “better than nothing,” but it has proven “very hard to get any country anywhere to act against malicious cyber actors on their own territory.” James Shires said the optics of having major players in cyber espionage dictating what other countries can do has likely limited participation in the initiative. “You have these major states that not only have their own domestic capabilities, but also have a commercial industry, and they want to control access to that industry around the world.” One major signatory, the United States, has also used its economic and diplomatic muscle to go much further than a non-binding declaration of allies. In 2021 the U.S. blacklisted NSO’s Pegasus alongside other Israeli, Russian and Singaporean spyware companies. In 2023, then-President Joe Biden signed an executive order to ban federal agencies from using spyware which could pose a risk to American security. The U.S. government followed this up a year later by threatening to impose visa restrictions on individuals involved in commercial spyware misuse and sanctions against the Intellexa Consortium. “These are all pretty blunt, effective actions,” Shires said. “The U.K. could have done all of that, but hasn’t. The U.S. is such a big market, so it can move on its own and have a big impact where the U.K. perhaps can’t.” However, the new administration under Donald Trump has rowed back some of these moves, amid a renewed appetite for domestic surveillance tools. Agents with the U.S. Immigration and Customs Enforcement will have access to technology from Israeli company Paragon Solutions, after its contract was halted to comply with U.S. spyware rules. Paragon has previously come under scrutiny by the Italian government.  The Atlantic Council’s Jen Roberts said: “Right now, the U.K. and the French are being looked at as the leaders in the future, as the new U.S. administration figures out its stance on this policy issue, though we’ve seen some positive signaling, like the U.S. being a signatory on the Pall Mall Process Code of Conduct.” GHCQ and NCSC were contacted to contribute to this piece. The U.K. government has a long-standing policy of not commenting on intelligence matters.

The Bulgarian government on Thursday reversed course as it clarified it had no evidence that Russia jammed GPS signals to European Commission President Ursula von der Leyen’s plane when it landed at a local airport on Sunday — despite initially making the claim itself.  On Thursday, Bulgarian Prime Minister Rosen Zhelyazkov told parliament that the Commission president’s plane had not been disrupted but had only experienced a partial signal interruption, the kind typically seen in densely populated areas.  “After checking the plane’s records, we saw that there was no indication of concern from the pilot. Five minutes the aircraft hovered in the waiting area, with the quality of the signal being good all the time,” he told lawmakers.  The prime minister had previously said the disturbance was due to unintended consequences of electronic warfare in the Ukrainian conflict.  Deputy Prime Minister and Transport Minister Grozdan Karadzhov, also denied there was evidence of disruption to the GPS signal of the Commission president’s flight.  “According to empirical data, according to the radio detection, the records of our agencies, civilian and military, there is not a single fact supporting the claim to silence the GPS signal that affected the plane,” Karadzhov told Bulgarian broadcaster bTV on Thursday.  On Monday, the Financial Times reported that a Commission-chartered plane on a tour of “front-line states” in Europe reportedly lost access to GPS signals while approaching Bulgaria’s Plovdiv airport. The correspondent who was on the plane wrote that the aircraft landed using paper maps and quoted an official saying it circled the airport for an hour. Brussels and Sofia were quick to blame Russia, calling it “blatant interference.”  The incident made headlines across Europe and prompted reactions from U.S. President Donald Trump, NATO’s Secretary-General Mark Rutte and other top officials. In past days, analysts have questioned the details of the incident, pointing to flight-tracking data revealing that the GPS signal was never lost and that the plane’s landing was only delayed by nine minutes. Public data also showed the same aircraft had experienced GPS jamming the day before over the Baltics — but not in Bulgaria. European Commission spokesperson Arianna Podestà on Thursday said the institution was informed by Bulgarian authorities of GPS jamming, echoing a press release shared by the country’s governent authorities on Monday. “We have never been speaking of the targeting ourselves and I was very clear in saying that we had no informationin this sense. But we are extremely well aware that this is a matter that occurs in our skies and in our seas on a constant manner since the start of the war and therefore this is why its important to tackle it together with our member states,” she told reporters at a briefing in Brussels.

LONDON — British and allied spy agencies on Wednesday accused a host of Chinese tech companies of helping the Beijing government conduct an “unrestrained campaign” of cyber attacks around the world. The National Cyber Security Centre (NCSC) – a part of Britain’s GCHQ intelligence agency — published details of three China-based companies that it said were linked to state-sponsored attacks against Western critical infrastructure. These attacks, the agency said, overlap with campaigns known as “Salt Typhoon” — a sprawling hacking and espionage campaign believed to be run by China’s Ministry of State Security MSS, the country’s foreign intelligence service. Salt Typhoon’s activities have previously been described by Ciaran Martin, the first head of NCSC, as “China doing a ‘Snowden’ to America,” by accessing vast amounts of U.S. communications data through a “strategic spying operation of breathtaking audacity.” The companies — Sichuan Juxinhe Network Technology Co Ltd, Beijing Huanyu Tianqiong Information Technology Co, and Sichuan Zhixin Ruijie Network Technology Co Ltd — were named by Britain alongside 12 other countries’ intelligence agencies, including partners in the Five Eyes intelligence tie-up such as the United States. The NCSC said malicious cyber activity linked to these companies had “targeted nationally significant organizations around the world” since 2021. Targets included government, telecommunications, transportation and military infrastructure. The British spy agency added that a “cluster of activity” had been observed in the U.K. Britain and its allies alleged on Wednesday that these companies “provide cyber-related products and services to China’s intelligence services, including multiple units in the People’s Liberation Army and Ministry of State Security.” They added that the data stolen through telecommunications, internet and transportation services can help Chinese intelligence track targets’ communications and movements around the world. In 2024, the U.S. was hit by one of the worst cyberattacks in its history after China was able to get access to mobile data related to millions of Americans by burrowing inside major U.S. providers including Verizon, AT&T and Lumen. The New York Times reported ahead of the 2024 election that this included data from phones used by now-President Donald Trump and his Vice President JD Vance. Richard Horne, the NCSC’s chief executive, said in a statement that his agency was “deeply concerned by the irresponsible behavior” of the companies named, who had “enabled an unrestrained campaign of malicious cyber activities on a global scale.” Earlier this month Dan Jarvis, the U.K. government’s security minister, told POLITICO that hackers and hostile states could face repercussions including retaliatory cyber attacks for targeting British institutions.

Russian basketball player Daniil Kasatkin was arrested in France on a hacking charge at the request of the United States. U.S. authorities believe Kasatkin negotiated payoffs for a ransomware ring that hacked around 900 companies and two federal government entities in the U.S., demanding money to end their attacks, according to a report from AFP. Kasatkin, who was arrested on June 21, denies the allegations. His lawyer, Frédéric Bélot, told POLITICO that Kasatkin is a “collateral victim of that crime” because he bought a second-hand computer with malware.  “He’s not a computer guy,” Bélot said. “He didn’t notice any strange behavior on the computer because he doesn’t know how computers work.” A French court denied Kasatkin bail on Wednesday, and he remains in jail awaiting formal extradition notification from U.S. authorities, according to Bélot. Kasatkin had traveled to France to visit Paris with his fiancée and was detained shortly after arriving at the airport. He played collegiate basketball briefly at Penn State, then four seasons for the Moscow-based MBA-MAI team. Bélot said Kasatkin’s physical condition has deteriorated in jail, which he argued is harming his athletic career. Joshua Berlinger contributed to this report. 

The organizations representing critical networks that keep the lights on, the water running and transportation systems humming across the U.S. are bracing for a possible surge of Iranian cyberattacks. Virtually every critical infrastructure sector is on high alert amid a deepening conflict between Iran and Israel, though no major new cyber threat activity has been publicly reported so far. As these groups proactively step up their defenses, it’s unclear whether Washington is coordinating with them on security efforts — a change from prior moments of geopolitical unrest, when federal agencies have played a key role in sounding the alarm. “Iranian cyber activity has not been as extensive outside of the Middle East but could shift in light of the military actions,” said John Hultquist, chief analyst for Google Threat Intelligence Group. As the conflict evolves — and particularly if the U.S. decides to strike Iran directly — “targets in the United States could be reprioritized for action by Iran’s cyber threat capability,” he said. During previous periods of heightened geopolitical tension, U.S. agencies, including the Cybersecurity and Infrastructure Security Agency, stepped up to warn the operators of vital U.S. networks about emerging threats. Ahead of Russia’s full-scale invasion of Ukraine in 2022, CISA launched its “Shields Up” program to raise awareness about potential risks to U.S. companies emanating from the impending war. Anne Neuberger, who served as deputy national security adviser for cyber and emerging tech at the White House under President Joe Biden, coordinated with CISA and other agencies, including the Office of the Director of National Intelligence, to support critical infrastructure sectors before Russia attacked Ukraine. She stressed that the government is crucial in helping these companies step up their defenses during a crisis. “The government can play a very important role in helping companies defend themselves, from sharing declassified intelligence regarding threats to bringing companies together to coordinate defenses,” Neuberger said. “Threat intel firms should lean forward in publicly sharing any intelligence they have. ODNI and CISA should do the same.” Spokespersons for CISA, the White House and the National Security Council did not respond to requests for comment on increasing concerns that cyber adversaries could target U.S. critical networks. Beyond federal resources, thousands of the nation’s critical infrastructure operators turn to information sharing and analysis centers and organizations, or ISACs, for threat intelligence. The Food and Ag-ISAC — whose members include the Hershey Company, Tyson and Conagra — and the Information Technology ISAC — whose members include Intel, IBM and AT&T — put out a joint alert late last week strongly urging U.S. companies to step up their security efforts to prepare for likely Iranian cyberattacks. In a joint statement from the groups provided to POLITICO on Monday, the organizations cautioned that even if no U.S.-based companies were directly targeted, global interconnectivity meant that “cyberattacks aimed at Israel could inadvertently affect U.S. entities.” ISACs for the electricity, aviation, financial services, and state and local government sectors are also on alert. Jeffrey Troy, president and CEO of the Aviation ISAC, said that in the past, companies in the aviation sector had been impacted by cyberattacks disrupting GPS systems, and that as a result, “our members remain in a constant state of vigilance, sharing intelligence in real time and collaborating on prevention, detection, and mitigation strategies.” Andy Jabbour, founder and senior adviser for the Faith-Based Information Sharing and Analysis Organization, said his organization is monitoring potential efforts by Iranian-linked hackers to infiltrate the websites of U.S. religious groups or spread disinformation. Jabbour said his organization is working with the National Council of ISACs on scanning for these threats, and noted that the council had stood up a program following the first strikes by Israel on Iran late last week to monitor for specific threats to U.S. infrastructure. The National Council of ISACs did not respond to a request for comment on whether they are preparing for evolving Iranian threats. Concerns about attacks on U.S. critical infrastructure linked to conflicts abroad have grown in recent years. Following the Oct. 7, 2023, attack on Israel by militant group Hamas, Iranian government-linked hacking group Cyber Av3ngers hacked into multiple U.S. water facilities that were using Israeli-made control panels. The intrusions did not disrupt water supplies, but they served as a warning to utility operators about devices that could be easily hacked and potentially targeted first in a cyber conflict with Iran. “If anti-Israeli threat actors make good on any claim of impacting critical infrastructure at this time … they’re going to look for the low-hanging fruit, easily compromised devices,” said Jennifer Lyn Walker, director of infrastructure cyber defense at the Water ISAC. Walker said that while her team has not yet detected any enhanced threats to member groups since last week, the Water ISAC would be sending out an alert this week, encouraging organizations to stay vigilant. “We don’t want to cause any undo panic, but for those members that aren’t already watching and aren’t already vigilant, we definitely want to amplify the message that the potential exists,” Lyn Walker said. Some of these groups noted that the lack of federal support so far in preparing for Iranian cyberattacks may be due to widespread changes across agencies since President Donald Trump took office. CISA, the nation’s main cyber defense agency, is expected to lose around 1,000 employees, and many of its programs have been cut or put on pause, including funding for the organization that supports the ISACs for state and local governments. CISA has also been without Senate-confirmed leadership since former Director Jen Easterly departed in January. “CISA is in a state of transition,” Jabbour said, noting that while “CISA is still accessible,” there had been no outreach to strengthen defenses against Iranian hackers since tensions erupted last week. It isn’t a complete blackout. Lyn Walker said that the Water ISAC has “received reporting from DHS partners who are striving to maintain continuity of operations and valuable information sharing during this challenging time.” There could also be another reason for the less visible federal response: “Shields Up” advisories are still available from 2022, when CISA worked with organizations to prepare for an onslaught of Russian cyberattacks tied to the war in Ukraine. Kiersten Todt, who served as chief of staff at CISA when the program was stood up, said that its legacy has heightened awareness of potential cyber pitfalls across the nation’s critical operations. “Because the [cyber] threat is so serious, all of those things ended up sustaining,” Todt, current president of creative company Wondros, said. “That ‘Shields Up’ mentality has now become part of the culture of critical infrastructure.” The enhanced level of vigilance reflects concerns that the threats from Iran could change quickly. Jabbour noted that a lot is in the hands of Trump as he weighs how heavily to assist Israel. “The next 24-48 hours will be interesting in that sense, and his decisions and his actions could certainly influence what we see here in the United States,” Jabbour said.

Eleven Western countries have accused a notorious Russian military intelligence hacking group of targeting defense, transport and tech firms involved in helping Ukraine. The United States, the United Kingdom, Germany, the Czech Republic, Poland, Australia, Canada, Denmark, Estonia, France and the Netherlands on Wednesday released a joint statement on the Russian state-sponsored campaign, which targeted organizations involved in the “coordination, transport, and delivery of foreign assistance to Ukraine.” The countries said Unit 26165 of the Russian military intelligence service — known in the cybersecurity world as “Fancy Bear” — had carried out the campaign for more than two years using a variety of tactics including targeted scam emails and stolen passwords. Russian hackers involved in the campaign have gone after government organizations and private companies in the defense, transport, maritime, air traffic management and IT sectors, they said.  Organizations from those industries based in Bulgaria, the Czech Republic, France, Germany, Greece, Italy, Moldova, the Netherlands, Poland, Romania, Slovakia, Ukraine and the U.S. were targeted, according to Wednesday’s statement.  The Western countries explicitly linked the cyber campaign to Russia’s war in Ukraine, saying the attacks ramped up after February 2022.  As Russian forces “failed to meet their military objectives and Western countries provided aid to support Ukraine’s territorial defense, Unit 26165 expanded its targeting of logistics entities and technology companies involved in the delivery of aid,” they said.  Multiple Russian hacking groups increased their activity at that time, but Unit 26165 focused on espionage — including targeting internet-connected cameras at Ukrainian border crossings and at least one organization involved in railway industrial control systems — the Western countries said Wednesday.  Unit 26165 was previously sanctioned by the EU for hacking the German Bundestag in 2015. It has also been tied to hacks of the U.S. Democratic National Committee in 2016 and of email accounts belonging to then-Chancellor Olaf Scholz’s Social Democratic Party in 2022 and 2023.  More recently, France accused it of orchestrating cyberattacks on President Emmanuel Macron’s 2017 election campaign.

A Russian hacker group attacked several Romanian government and presidential candidates’ websites on Sunday as the country votes for its next president, Romanian news outlet G4media reported. The attack, by the group known as DDOSIA/NoName057, hit the website of the Romanian Constitutional Court, the main government portal, the Romanian foreign ministry site and the websites of four presidential candidates. The candidate websites attacked included Crin Antonescu, who is backed by Romania’s governing parties, and Bucharest Mayor Nicușor Dan, who is running as independent, according to a list provided by the National Cybersecurity Directorate, G4media reported.  The Cybersecurity Directorate did not immediately respond to a request for more information. The hackers claimed responsibility for the cyberattack on their Telegram channel, listing the websites of the ministries for internal affairs and justice among the targets, Romanian TV channel Digi24 reported. The attack was through the distributed denial of service (DDoS) method, which overwhelms the target with a flood of internet traffic. The Cybersecurity Directorate said that all websites the hacker group listed were operational as of 2 p.m. local time, adding a Star Wars reference: “May the Force be with you,” according to a post on Facebook. The attack came as Romanians are voting in the first round of a presidential election re-do. The country’s top court canceled the initial round last year over allegations of illegal campaigning by the winner of that round, little-known ultranationalist Călin Georgescu, and potential Russian influence.  There were more than 85,000 cyberattacks against Romania’s election IT system in the day of the election last November and after, according to Romanian declassified intelligence documents.