Hackers with links to Russia broke into numerous email accounts belonging to prosecutors and investigators across Ukraine in recent months, as well as military accounts from Romania, Bulgaria, Greece, and Serbia, according to data analyzed by Reuters. They reportedly compromised at least 67 email accounts of the Romanian Air Force.
The data regarding the hack was accidentally exposed on the internet by the hackers themselves and discovered by Ctrl-Alt-Intel, a collective of British and American researchers specializing in cyber threats. They said that in total, the hackers compromised at least 284 email inboxes between September 2024 and March 2026.
The operation was first described last month in a post on the Ctrl-Alt-Intel blog, then verified by Reuters and independent researchers. Most of the victims of the cyberattacks were in Ukraine, but targets from Romania and other NATO countries neighboring Ukraine and from the Balkans were also targeted. More than a dozen European agencies and officials were compromised as a result.
The data showed that hackers broke into accounts managed by Ukraine’s Specialized Defense Prosecutor’s Office, a wartime body established to combat corruption and expose spies within the Ukrainian military. They also targeted the Asset Recovery and Management Agency of Ukraine (or ARMA), which oversees assets seized from criminals and Russian collaborators, as well as the Prosecutors’ Training Center in Kyiv.
In Romania, the hackers compromised at least 67 email accounts of the Romanian Air Force, including several belonging to NATO air bases and at least one account of a high-ranking military officer.
The data also showed that spies compromised 27 email inboxes managed by the Hellenic National Defense General Staff, Greece’s highest military body. Among those hacked were Greek military attachés in India and Bosnia, as well as the public email inbox of the Joint Armed Forces Mental Health Center of Greece.
In Bulgaria, hackers broke into at least four email inboxes belonging to local officials in Plovdiv, where Russian interference is believed to have disrupted satellite navigation services ahead of a visit by European Commission president Ursula von der Leyen last year.
The data also showed that spies hacked the accounts of academics and military officials in Serbia, a traditional ally of Russia.
Ctrl-Alt-Intel attributed the cyberattack campaign to the group “Fancy Bear,” one of the nicknames given to a well-known Russian military hacking team. Two researchers who independently reviewed the Ctrl-Alt-Intel analysis agreed that the hackers have links to Moscow. However, they could not confirm “Fancy Bear’s” involvement.
Speaking to Euronews Romania, reserve commander Sandu Valentin-Mateiu said that an internal investigation will determine whether this was an opportunistic attack or a targeted attack on the Romanian Air Force.
“This is yet another proof that we are dealing with a hybrid war. The leads point in one way or another toward the GRU. Most likely, it is about Unit 85 of the GRU, the 85th Main Special Service Center of the GRU (85 GTsSS). Romania is a target country,” he said.
The new information comes after Romanian president Nicușor Dan and the US Department of Justice announced that the FBI, together with several institutions from 15 states, including the Romanian Intelligence Service, had dismantled a prolonged cyberattack on sensitive infrastructure in several Western countries.
(Photo source: Famveldman|Dreamstime.com)
Leave a Reply