Traces of the Russian hacker group “Fancy Bear”, which U.S. and U.K. authorities link to the Russian military intelligence service (GRU), have been discovered within the Serbian Ministry of Defense, the Military Academy, and the Military Medical Academy (VMA).
Independent cybersecurity group Ctrl Alt Intel reported that in mid-March it accessed files on the Russian group’s servers. Their analysis revealed that the hackers had obtained data from the email accounts of the three Serbian state institutions.
The Serbian Ministry of Defense has not commented on the incident, and the breach has not been reported to the Commissioner for Public Information and Personal Data Protection, as required under Serbian law.
According to Ctrl Alt Intel, the hackers gained control of six email accounts in the Ministry of Defense, including two-factor authentication, and four accounts had auto-forwarding enabled, allowing monitoring of all future communications. The exact timing of the attack is unclear, and some accounts may still be compromised.
Fancy Bear has been active for over a decade and is also known as APT28 or “Forest Blizzard.” According to the U.K. National Cyber Security Centre, the group is affiliated with the GRU. In 2018, twelve GRU officers were charged by the U.S. Department of Justice for cyberattacks against the Democratic National Committee and Hillary Clinton’s campaign.
The group typically targets governments, NGOs, universities, and technology companies in countries such as the U.S., Canada, Australia, India, Ukraine, Israel, and Japan.
Fancy Bear frequently uses spear phishing, sending messages disguised as coming from trusted sources to trick victims into opening malicious files and granting access to systems. From Serbia, the hackers were able to use compromised emails to contact European military institutions.
The report notes that 248 contacts were collected from the Ministry of Defense and VMA accounts, including communications with European military structures.
The Russian hackers were also interested in Serbia due to claims about arms exports to Ukraine. According to Russia’s foreign intelligence service (SVR), some Serbian companies continued to export ammunition to Ukraine using falsified documents and intermediaries.
Serbian President Aleksandar Vučić denied several SVR claims and discussed the matter with Russian President Vladimir Putin in May 2025. Following these reports, Serbia temporarily halted the export of certain munitions.
