Traces of the Russian hacking group Fancy Bear, which US and UK government institutions link to Russia’s military intelligence service, the GRU, have been found within Serbia’s Ministry of Defence, the Military Academy and the Military Medical Academy.
The internationally connected group of independent cybersecurity experts Ctrl Alt Intel announced that in mid-March, they managed to access folders on a server used by the Russian hacking group.
According to the data they shared, the servers contained evidence that, among other activities, Russian hackers had been collecting data from email addresses belonging to three Serbian state institutions.
By the time this article was published, the Serbian Ministry of Defence had not responded to enquiries from Radio Free Europe sent on Thursday, 19 March, regarding the findings that its data had been compromised.
The cyber attack was also not reported to the Commissioner for Information of Public Importance and Personal Data Protection, as required by Serbian law.
In a statement to Radio Free Europe, the national CERT of the Republic of Serbia, the central body responsible for prevention, protection and response to security risks in information systems, also said it had no information about this attack.
However, the report by Ctrl Alt Intel states that the data they obtained indicates it is possible to identify six different email accounts within the Ministry of Defence that were hacked, with attackers also gaining access to additional login verification protection, known as two-factor authentication.
For four of the accounts, automatic email forwarding to other addresses was set up, allowing the attackers to monitor all incoming messages, the organisation said.
The available data does not contain timestamps, so it is not possible to determine when the initial breach occurred.
“This could have been ongoing since October 2024. There is a possibility that these email accounts are still compromised and are continuing to forward emails to Fancy Bear addresses even now,” Ben Folland, a researcher at Ctrl Alt Intel, told Radio Free Europe.
Who is behind the Russian hacking group Fancy Bear?
Fancy Bear is a hacking group that has been active for at least ten years. They are known under several names, including APT28 and Forest Blizzard, as listed in the databases of the technology company Microsoft.
The UK government’s National Cyber Security Centre assesses in its research that “APT28 is almost certainly part of the Main Intelligence Directorate (GRU) of the Russian General Staff”.
Members of this hacking group were directly identified as GRU officers in an indictment issued by the US Department of Justice in 2018 against 12 GRU members for hacking the Democratic National Committee, the Democratic Congressional Campaign Committee and the presidential campaign of Hillary Clinton.
According to Microsoft, this Russian hacking group typically targets governments, non-governmental organisations, IT companies and universities, with attacks recorded in the United States, Australia, Canada, India, Ukraine, Israel and Japan.
From Serbian institutions to European military structures
One of the methods used by this group is gaining access to information systems through so-called spear phishing.
This involves targeted messages in which the attacker tailors communication to appear as though it comes from a trusted person or organisation, often using personal data about the victim.
The aim is to deceive the victim into downloading a malicious file and granting access to systems, from which attackers then extract content from internal servers.
In the case of the attack on Serbian state institutions, experts from Ctrl Alt Intel identified six compromised email accounts within the Ministry of Defence and one each from the systems of the Military Academy and the Military Medical Academy.
A total of 248 contacts with whom these email accounts had communicated were collected.
“From these email addresses of the Serbian Ministry of Defence, other addresses were contacted, including several within the Ministry itself, as well as European military and defence structures. Fancy Bear managed to extract contact lists from its initial targets within the Serbian Ministry of Defence to obtain this data,” explained Ben Folland of Ctrl Alt Intel.
Interest in Serbia due to claims of arms exports to Ukraine
In some attacks, the Fancy Bear hacking group operates in cooperation with another group known as Midnight Blizzard, as seen during the forensic analysis of a cyber attack on the Serbian non-governmental organisation Belgrade Centre for Security Policy in the autumn of last year.
In that attack, hackers accessed part of the archive and read more than 28,000 email exchanges of the Serbian organisation, which has for nearly 25 years monitored reforms in the security sector and actively communicates with numerous European institutions.
The governments of the United States and the United Kingdom link Midnight Blizzard to the Foreign Intelligence Service of the Russian Federation (SVR).
Serbia was of interest to the SVR in May and June 2025, when two statements were issued sharply criticising claims that Belgrade was exporting ammunition to Ukraine.
What data did the Russian service present?
“According to information obtained by the SVR, Serbian defence companies, despite Belgrade’s declared ‘neutrality’, continue to supply ammunition to Kyiv. A simple scheme involving falsified end-user certificates and intermediary countries serves as a cover for these anti-Russian activities,” the Russian service said on 28 May 2025.
The statement also listed intermediary countries and Serbian companies involved in exports, such as Jugoimport SDPR, Zenitprom, Krušik, Sofag, Reyer DTI, Sloboda and Prvi Partizan.
At the time, Serbian President Aleksandar Vučić said he had discussed Serbian arms exports to Ukraine with Russian leader Vladimir Putin during a visit to Moscow on 9 May and had denied some of the SVR’s claims.
“We have formed a working group together with our Russian partners to determine the facts. Some of the statements are not accurate,” Vučić said then.
A month later, another statement from the SVR followed.
“According to the information received, the Valjevo-based Krušik recently sold several large batches of 122 mm rocket assembly kits to the Czech company ‘oličské strojírny. The defence company Eling from Loznica supplied the Bulgarian company EMKO with production kits for the same rockets, as well as 120 mm mortar mines,” the Russian service stated on 23 June 2025.
The Serbian president responded at the time by halting ammunition exports from Serbia.
“Once we saw it appearing in Ukraine, appearing on both sides, with both sides complaining, the only way I can change something is to say that for a period of time all ammunition will go only to our barracks,” Vučić said.
Precise data on what types and quantities of weapons and military equipment Serbia exports to Ukraine, Israel and other countries are not publicly available, and in recent years the relevant ministry has not published annual reports on issued export licences on its website.
Who else was targeted?
Fancy Bear successfully compromised government and military entities across Ukraine, Romania, Bulgaria, Greece, Serbia and North Macedonia, including email addresses associated with four NATO member states, according to the Ctrl Alt Intel report.
More than 2,800 emails extracted from government and military databases were found on the hackers’ servers. Over 240 sets of user data, including passwords and two-factor authentication codes, were stolen, while every incoming email from 140 accounts was silently redirected to addresses controlled by the attackers, the report states.
More than 11,500 email addresses were extracted from victims’ address books, mapping entire communication networks, Ctrl Alt Intel added.
(Radio Free Europe, 24.03.2026)
https://www.slobodnaevropa.org/a/srbija-ministarstvo-odbrane-hakerski-napad/33712900.html
