Independent cybersecurity experts say Russian state-linked hackers have compromised multiple email accounts belonging to Serbia’s Ministry of Defence, as well as the Military Academy and the Military Medical Academy.
The group, known as “Fancy Bear” and linked by U.S. and U.K. intelligence to Russia’s GRU military intelligence agency, was identified in servers accessed by the international cybersecurity collective Ctrl Alt Intel. The experts said they gained access to the Russian hacker group’s servers in mid-March and uncovered evidence of targeted data collection from Serbian government email accounts.
Ctrl Alt Intel reported that six Ministry of Defence accounts had been compromised, with four configured to forward all incoming emails to addresses controlled by the hackers. The available data did not include timestamps, making it impossible to determine when the initial breach occurred. Ben Folland, a researcher with Ctrl Alt Intel, told Radio Free Europe/Radio Liberty the compromise may have started as early as October 2024 and that the accounts could still be under monitoring.
The Serbian Ministry of Defence did not respond to questions sent by RFE/RL on March 19 regarding the alleged breach. The attack has not been reported to the Commissioner for Information of Public Importance and Personal Data Protection, as required under Serbian law. The country’s national CERT, responsible for cyber defense and incident response, said it has no data confirming the attack.
Fancy Bear: A Decade of Cyberattacks
Fancy Bear, also known as APT28 or “Forest Blizzard,” has been active for at least 10 years and is believed to operate under the GRU. Members were named in a 2018 U.S. indictment against 12 GRU officers for hacking the Democratic National Committee and Hillary Clinton’s presidential campaign. The group has targeted governments, NGOs, technology firms, and universities across the U.S., Australia, Canada, India, Ukraine, Israel, and Japan.
One common tactic is spear-phishing, where attackers send tailored messages designed to appear legitimate to trick recipients into opening files that allow access to internal networks.
In Serbia, Ctrl Alt Intel said Fancy Bear successfully compromised six Ministry of Defence email accounts and one account each in the Military Academy and Military Medical Academy, collecting a total of 248 contacts. The hackers were able to extract contact lists, including addresses in other European defense and military institutions.
Broader Context: Russian Interest in Serbian Arms Exports
The cyberattack comes amid continued scrutiny of Serbia’s alleged arms exports to Ukraine. Russian intelligence claims that, despite Serbia’s declared neutrality, local defense companies supplied munitions to Kyiv, using intermediary countries and falsified end-user certificates.
President Aleksandar Vučić has denied some of the allegations and said a joint task force with Russian partners was established to verify the facts. The exact details of Serbian military exports remain undisclosed, and official reports on export licenses have not been published in recent years.
Regional Implications
According to Ctrl Alt Intel, Fancy Bear has targeted government and military entities in Ukraine, Romania, Bulgaria, Greece, Serbia, and North Macedonia, including email accounts connected to four NATO member states. Their servers contained more than 2,800 stolen emails, over 240 sets of user data including passwords and two-factor authentication codes, and 140 accounts with silent forwarding of incoming emails. More than 11,500 email addresses were extracted, mapping extensive communication networks.