Traces of the Russian hacking group “Fancy Bear,” which U.S. and U.K. authorities associate with Russia’s military intelligence service GRU, have been found in the Serbian Ministry of Defense, the Military Academy, and the Military Medical Academy (VMA), Radio Free Europe reports.
The discovery was made by the independent cybersecurity group “Ctrl Alt Intel,” which accessed folders on the hackers’ servers in mid-March. Their investigation identified six Ministry of Defense email accounts that were compromised.
The Ministry of Defense did not respond to inquiries from RFE prior to publication, and the cyberattack has not been reported to Serbia’s Commissioner for Information of Public Importance and Personal Data Protection, as required under national law. The national CERT of Serbia, responsible for cyber risk prevention and response, said it has no record of the incident.
According to “Ctrl Alt Intel,” attackers accessed email accounts, including two-step verification protections, and set up automatic forwarding on four accounts, allowing them to monitor all incoming correspondence. Due to the lack of timestamps in the data, the initial attack’s timing is unclear. Researchers believe the compromise could date back as far as October 2024.
“Fancy Bear” has been active for at least a decade and is also known as “APT28” or “Forest Blizzard” in Microsoft databases. The group is widely reported to operate on behalf of the GRU, with members identified as Russian officers in a 2018 U.S. indictment for hacking the Democratic National Committee and the Hillary Clinton campaign.
The group typically targets governments, NGOs, IT firms, and universities, with attacks documented in the U.S., Australia, Canada, India, Ukraine, Israel, and Japan. One common method is spear-phishing, where attackers send tailored messages to trick recipients into opening malicious files, granting access to internal systems.
In Serbia, the attack compromised six Ministry of Defense emails and one each from the Military Academy and VMA. The hackers extracted contact lists totaling 248 addresses, including domestic and European military and defense contacts.
Some operations were conducted in collaboration with the hacking group “Midnight Blizzard,” linked to Russia’s Foreign Intelligence Service (SVR). A 2025 analysis of attacks on the Belgrade Security Policy Center revealed the hackers accessed over 28,000 emails and internal archives spanning nearly 25 years of the NGO’s work monitoring security reforms and European communications.
Previous Russian SVR statements criticized Serbia in May and June 2025 for allegedly exporting ammunition to Ukraine despite official neutrality, naming several Serbian defense companies. Serbian President Aleksandar Vučić denied these claims and temporarily halted arms exports following the reports.
The “Fancy Bear” campaign has reportedly compromised government and military networks across Ukraine, Romania, Bulgaria, Greece, Serbia, and North Macedonia, including email accounts linked to four NATO member states. Researchers found over 2,800 emails on the group’s servers, more than 240 sets of login credentials—including two-factor codes—and redirected emails from 140 accounts, mapping over 11,500 addresses and communications networks.
