Hellenic Army A.I CyberSecurity Scoring
Hellenic Army
Company Information
Website:http://www.army.gr/
Employees number:1,431
Number of followers:7,734
NAICS:92811
Industry Type:Armed Forces
Homepage:army.gr
Hellenic Army Risk Score (AI oriented)
Between 700 and 749
Hellenic ArmyArmed Forces
Updated:
18/03/2026
18/03/2026
733/1000
Moderate
Ba
Hellenic Army Global Score (TPRM)
xxxx
Hellenic ArmyArmed Forces
Score locked

Hellenic ArmyModerate
Current Score
733Ba (MODERATE)
01000
1 incidents
-23 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
736
JUNE 2026
736
MAY 2026
735
APRIL 2026
735
MARCH 2026
756
Cyber Attack
18 Mar 2026 • Hellenic Army
Greece’s National Defence General Staff, Romanian Air Force and Government of Serbia: FancyBear Server Leak Exposes Stolen Credentials, 2FA Secrets, NATO Targets
FancyBear’s OPSEC Blunder Exposes Russian Espionage Operations Targeting NATO-Aligned Governments
733
CRITICAL-23
MINHELGRE1773843944
FancyBear’s OPSEC Blunder Exposes Russian Espionage Operations Targeting NATO-Aligned Governments
A critical operational security (OPSEC) failure by the Russian state-backed threat group APT28 (FancyBear) has exposed a live command-and-control (C2) server containing stolen credentials, two-factor authentication (2FA) secrets, and detailed logs of ongoing cyberespionage campaigns. The breach, analyzed by researchers from Ctrl-Alt-Intel and Hunt.io, provides unprecedented visibility into the group’s tactics, infrastructure, and high-value targets across Europe.
### The Exposure: A Goldmine of Stolen Data
The compromised server, hosted on Namecheap infrastructure at 203.161.50[.]145, contained an open directory with:
- 2,800+ exfiltrated emails
- 240+ credential sets, including TOTP 2FA secrets
- 140+ persistent email forwarding rules
- 11,500+ harvested contact addresses
- C2 source code, payloads, and operator logs
Victims included government and military entities in Ukraine, Romania, Bulgaria, Greece, Serbia, and North Macedonia many of which are NATO members or closely aligned with the alliance. Targets ranged from regional Ukrainian prosecutors to the Romanian Air Force and Greece’s National Defence General Staff, aligning with Russia’s strategic focus on Ukraine-related military logistics and support.
### How the Attack Unfolded
FancyBear’s campaign leveraged Roundcube and SquirrelMail webmail vulnerabilities, exploiting cross-site scripting (XSS) flaws to deploy malicious JavaScript payloads. Key components included:
- "worker.js" family payloads: Silently stole credentials, exfiltrated entire inboxes, and harvested address books.
- keyTwoAuth.js: Targeted the twofactor_gauthenticator plugin, extracting TOTP seeds and recovery codes in base64, enabling long-term 2FA bypass.
- addRedirectMailBox.js: Abused Roundcube’s ManageSieve to create persistent email forwarding rules, ensuring continued access even if the initial XSS vector was closed.
Phishing emails directed victims to a fake Google Docs domain (docs.google.com.spreadsheets.d.1ip6eeakdebmwteh36vana4hu-glaeksstsht-boujdk.zhblz[.]com), which used a fake reCAPTCHA (ClickFix) to deliver Metasploit payloads tied to the same C2 server.
### A Rare Glimpse into APT28’s Operations
Despite prior exposure by CERT-UA in late 2024 linking the same IP to Roundcube exploitation and ClickFix phishing FancyBear continued operating from the server for nearly 500 days, into early 2026. The root cause was a basic but critical OPSEC mistake: leaving HTTP open directories exposed while staging payloads and exfiltrated data.
Telemetry from Censys and Hunt.io revealed multiple open directories on port 8889 between January and March 2026, allowing defenders to download the full toolkit, observe campaign evolution, and track operator behavior in near real time.
### Geopolitical and Defensive Implications
The victim profile reinforces APT28’s strategic targeting, focusing on nations providing military aid, training, or logistical support to Ukraine. The campaign overlaps with ESET’s "Operation RoundPress" and CERT-UA’s ClickFix advisories, further solidifying attribution to GRU-linked FancyBear.
For defenders, the incident highlights vulnerabilities in webmail platforms (Roundcube, SquirrelMail), the risks of unhardened ManageSieve integrations, and the need to monitor for indicators like 203.161.50[.]145 and zhblz[.]com. Most critically, it demonstrates that even highly resourced state actors can make simple OPSEC errors, creating rare opportunities for disruption.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
FEBRUARY 2026
756
JANUARY 2026
756
DECEMBER 2025
756
NOVEMBER 2025
756
OCTOBER 2025
756
SEPTEMBER 2025
756
AUGUST 2025
756
Frequently Asked Questions
?
What is the current A.I Rankiteo Cyber Score for Hellenic Army ??
What was Hellenic Army's A.I Rankiteo Cyber Score in June 2026 ??
What was Hellenic Army's A.I Rankiteo Cyber Score in May 2026 ??
What was Hellenic Army's A.I Rankiteo Cyber Score in April 2026 ??
What was Hellenic Army's A.I Rankiteo Cyber Score in March 2026 ??
What was Hellenic Army's A.I Rankiteo Cyber Score in February 2026 ??
What was Hellenic Army's A.I Rankiteo Cyber Score in January 2026 ??
What was Hellenic Army's A.I Rankiteo Cyber Score in December 2025 ??
What was Hellenic Army's A.I Rankiteo Cyber Score in November 2025 ??
What was Hellenic Army's A.I Rankiteo Cyber Score in October 2025 ??
What was Hellenic Army's A.I Rankiteo Cyber Score in September 2025 ??
What was Hellenic Army's A.I Rankiteo Cyber Score in August 2025 ??
What is the average per-incident point impact on Hellenic Army's A.I Rankiteo Cyber Score over the past 12 months ??
Where can I access detailed records of all cyber incidents associated with Hellenic Army ??
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ??
Where can I view Hellenic Army's profile page on Rankiteo ??
How accurate is the A.I Rankiteo Risk Scoring methodology ?