Serbia’s Ministry of Defense, the Military Medical Academy (VMA), and the Military Academy were reportedly targeted by the Russian hacker group known as “Fancy Bear,” an organization widely linked to Russian military intelligence.
The cyberattack is believed to have been ongoing since October 2024, though it remains unclear whether it is still active or what specific objectives the attackers pursued.
According to findings cited by Radio Free Europe, traces of the group—also known as APT28—were discovered within the systems of key Serbian defense institutions. The group has been previously linked by U.S. and UK authorities to Russia’s military intelligence agency, the GRU.
The information emerged after an internationally connected group of cybersecurity experts, Ctrl Alt Intel, reportedly accessed files stored on servers used by the hackers. Their findings suggest that data, including email communications from Serbian state institutions, may have been collected.
Espionage Over Sabotage
Security analysts believe the primary objective of the operation was espionage rather than disruption. Journalist Aleksa Tešić noted that such state-backed cyber groups typically aim to monitor communications, gather intelligence, and track internal developments rather than disable infrastructure.
“Their goal was not to sabotage systems but to observe events, collect data, and monitor communication within these institutions,” he explained, adding that Serbia’s multi-vector foreign policy likely increases foreign intelligence interest.
Serbia’s position—balancing relations between East and West—may make it a particularly valuable intelligence target. Monitoring defense communications could provide insights into Belgrade’s dealings with international partners.
Security Gaps and Structural Risks
Former Defense Ministry spokesperson and MP Petar Bošković pointed to structural vulnerabilities within Serbia’s cyber defense system. He highlighted the growing role of private companies in managing critical IT infrastructure, which may limit oversight by military cybersecurity experts.
“In the past, military IT sectors had full control and continuous monitoring. Today, key segments are managed externally, creating potential security risks,” he said.
The extent of the damage depends on how deep the hackers penetrated the systems. If access was long-term, sensitive communications and classified data could have been exposed.
Geopolitics Over Friendship
Despite traditionally close ties between Belgrade and Moscow, analysts argue the attack reflects strategic interests rather than a breakdown in relations.
“Intelligence services operate based on interests, not friendships,” Bošković noted, suggesting that even allied or friendly states are not exempt from surveillance.
The incident may underscore a broader reality: Serbia’s geopolitical positioning makes it both a partner and a target.
Who Are “Fancy Bear”?
“Fancy Bear,” also known as APT28 or “Forest Blizzard,” has been active for more than a decade and is considered one of the most sophisticated state-linked cyber groups. It has been associated with numerous high-profile cyber operations worldwide, including attacks on political institutions, governments, and organizations.
In 2018, the U.S. Department of Justice indicted several members of the group—identified as officers of the GRU—for cyberattacks targeting the Democratic National Committee and the presidential campaign of Hillary Clinton.
According to Microsoft, the group frequently targets governments, NGOs, IT companies, and academic institutions across multiple regions, including North America, Europe, and Asia.
A Continuing Threat
While many details remain unknown—including what data was accessed and whether the breach is ongoing—the case highlights the persistent vulnerability of state institutions to advanced cyber espionage.
It also reinforces a key lesson in modern geopolitics: in cyberspace, alliances offer little protection when strategic intelligence is at stake.
