A forensic analysis has confirmed that Russian hacker groups gained unauthorized access to parts of the archive of the Belgrade Centre for Security Policy (BCSP), reading more than 28,000 email communications. The BCSP is a Serbian non-governmental organization that has been monitoring security sector reforms for nearly 25 years.
The analysis was conducted for the organization by one of the world’s largest IT companies. According to the findings, the hackers are linked to groups that the governments of the United States and the United Kingdom have previously associated with Russian intelligence and security structures.
During the attack, hackers accessed internal archives and compromised extensive correspondence of the organization, which is actively engaged with numerous European institutions.
“Our mailing list of international and domestic partners is very large,” said Igor Bandović, Director of the BCSP, speaking to Radio Free Europe/Radio Liberty (RFE/RL).
Hackers Linked to Russian Intelligence Services
Bandović stated that employee accounts at the BCSP were later used to further spread the hacking operation, involving two Russian hacker groups.
One group is linked to Russia’s Foreign Intelligence Service (SVR), while the other is connected to Russia’s Military Intelligence Service (GRU).
According to Microsoft, both groups regularly target governments, diplomatic institutions, non-governmental organizations, and IT companies worldwide.
“Attackers use every possible method to gain access to sensitive emails, files, and messages,” said Steven Adair, Director of the U.S.-based cybersecurity company Volexity, who was also involved in analyzing the attack.
He warned that civil society organizations in Serbia will almost certainly remain targets, due to their work and expertise related to Russia, Ukraine, and European security efforts.
How the Attack Happened
“The message I received did not look suspicious in any way,” Bandović recalled.
In July last year, he received a message from a person presenting himself as Sergey Tikhanovsky, a Belarusian opposition figure and husband of exiled opposition leader Sviatlana Tsikhanouskaya.
“He proposed scheduling a video call to discuss the political situation in Southeast Europe,” Bandović explained.
According to the forensic analysis, this message was one of the key entry points for the hackers, enabling them to compromise the organization’s infrastructure and expand their operation further.
Bandović said he asked how the sender obtained his contact information and was told it came from a colleague in Romania, which gave him no immediate reason to doubt the authenticity of the communication.
The exchange took place via Signal, a messaging application known for strong privacy protections and end-to-end encryption.
Opening the Door to Hackers
The message included a link for a video call. At the scheduled time, Bandović copied the link into his web browser.
Although the video call never activated, the action granted hackers access to nearly all internal communications of the BCSP.
Bandović thus became a victim of spear phishing, a targeted attack method in which messages are carefully crafted to appear as if they come from a trusted individual or organization, often using personal information about the victim.
The goal is to trick the victim into revealing sensitive information, downloading malicious files, or enabling system access.
Four months later, in November, the Microsoft Threat Intelligence Center alerted the BCSP that it had been compromised.
A forensic investigation conducted by a major global IT company—whose identity remains confidential but is known to RFE/RL—identified two hacker groups, Midnight Blizzard and Forest Blizzard, as being behind the attack.
