FancyBear’s Major OpSec Blunder Exposes Espionage Campaign Targeting European Governments and NATO In a rare operational security failure, Russian state-linked hacking group FancyBear (APT28/Forest Blizzard/GRU Unit 26165) inadvertently exposed a long-running cyberespionage campaign after leaving a server unsecured for over 500 days. The breach, first detected by threat intelligence firm Hunt.io on January 13, 2026, and later analyzed by Ctrl-Alt-Intel, provided researchers with unprecedented visibility into Operation Roundish, an active campaign targeting government and military entities across Europe. The exposed server a NameCheap Virtual Private Server (VPS) hosted in the U.S. at IP 203.161.50.145 had been previously attributed to FancyBear by Ukraine’s CERT-UA in September 2024, yet the group continued using it without interruption. The open directory contained 2,800 exfiltrated government and military emails, 240 stolen credentials (including passwords and TOTP 2FA secrets), 140 silent email-forwarding rules, and 11,500 harvested contact addresses from victims in Ukraine, Romania, Bulgaria, Greece, Serbia, and North Macedonia. Notably, the stolen data included email addresses tied to four NATO member states, including NATO’s own headquarters infrastructure. A second exposed directory, discovered by Ctrl-Alt-Intel, revealed even more sensitive material: FancyBear’s full command-and-control (C2) source code, additional JavaScript payloads, campaign telemetry logs, and further exfiltrated data. The targeting pattern aligned with geopolitical priorities, with Ukraine’s regional prosecutors (likely linked to war crimes investigations) as the largest victim group. Other high-profile targets included Romania’s Air Force, Greece’s National Defence General Staff, Serbia’s Ministry of Defence, and Bulgarian government entities all nations involved in recent military cooperation, such as Greece’s training of Ukrainian F-16 pilots and a 2024 military mobility agreement between Romania, Bulgaria, and Greece. The most alarming technical aspect of the campaign was FancyBear’s method for silently bypassing 2FA. Using a JavaScript module (keyTwoAuth.js), the group exploited a Roundcube webmail XSS vulnerability to extract TOTP secrets and recovery codes from authenticated sessions without victim interaction. The module parsed the twofactorgauthenticator plugin settings, encoded the stolen data, and exfiltrated it to the group’s C2 server (zhblz.com) under the log prefix ktfu. Researchers recovered 516 log entries from 108 unique victim addresses, with 256 accounts having their TOTP secrets compromised including targets at Romania’s Air Force, Greece’s GEETHA, Ukraine’s Asset Recovery Agency, and Serbia’s Ministry of Defence. The remaining 260 accounts had no 2FA enabled, making them trivial to access. The exposure underscores the group’s persistent reliance on known infrastructure despite prior attribution, as well as the sophistication of its 2FA bypass techniques. While the incident provides defenders with critical intelligence, it also highlights the ongoing threat posed by FancyBear to NATO-aligned governments and military organizations.

APT28 Exploits Zero-Click Outlook Flaw to Steal Credentials from NATO and Critical Infrastructure Russian state-sponsored threat group APT28 (also known as Fancy Bear or Forest Blizzard), linked to the GRU’s Unit 26165, has intensified its cyber espionage operations by exploiting a zero-click vulnerability in Microsoft Outlook to target NATO members, defense organizations, and critical infrastructure entities. The campaign centers on CVE-2023-23397, a critical elevation-of-privilege flaw in Outlook that allows attackers to trigger forced authentication without user interaction. APT28 sends malicious Outlook reminders that, when processed, automatically connect to attacker-controlled Server Message Block (SMB) shares, leaking victims’ Net-NTLMv2 hashes. These stolen credentials enable NTLM relay attacks, granting unauthorized access to Microsoft Exchange mailboxes without deploying traditional malware. Unlike past operations that relied on heavy implants like the X-Agent toolkit, APT28 has shifted to stealthier, single-purpose techniques, minimizing forensic traces. To evade detection, the group has overhauled its infrastructure, leveraging compromised SOHO edge devices specifically, the MooBot botnet, consisting of hijacked Ubiquiti EdgeRouters. These routers serve as relay nodes for stolen hashes and host credential-scraping proxies, masking malicious traffic behind legitimate consumer IP addresses and bypassing reputation-based security filters. The attack chain highlights a sophisticated evolution in APT28’s tactics, combining zero-click exploitation with decentralized infrastructure to silently infiltrate high-value targets. The campaign underscores the growing threat to European defense and critical infrastructure sectors.

In 2021, Russia executed a location spoofing cyber attack targeting NATO ships, specifically British and Dutch warships, in the Black Sea near Ukraine. The attack falsely projected the vessels as entering Russian-occupied Crimean waters and approaching Russia’s primary naval base in Sevastopol—a provocation designed to trigger a military or diplomatic reaction. The incident, though virtual, demonstrated the disruptive potential of GPS/jamming spoofing attacks in maritime cyber warfare, risking escalation between nuclear-armed states.The attack exposed critical vulnerabilities in maritime navigation systems, which rely on unencrypted GPS signals susceptible to manipulation. While no physical damage or data breach occurred, the psychological and geopolitical impact was severe: it undermined trust in naval positioning systems, forced NATO to verify ship locations manually, and highlighted how cyber deception could provoke real-world conflicts. Experts warned that such tactics could be expanded to disrupt commercial shipping, port operations, or even trigger accidental military engagements by misleading adversaries into perceiving hostile actions.The incident was part of a broader pattern of Russian cyber operations targeting maritime infrastructure, emphasizing the need for resilient navigation technologies and international cyber norms to prevent miscalculation in contested regions like the Black Sea. The attack’s strategic intent—deploying disruptive power to influence adversary behavior—aligned with hybrid warfare doctrines, where cyber tools are used to create uncertainty without kinetic confrontation.

Hungarian Government Faces Security Crisis Due to Weak Passwords and Credential Reuse A Bellingcat investigation has exposed a major security lapse within Hungary’s government, revealing nearly 800 compromised email and password pairs tied to key ministries, including defense, foreign affairs, and finance. The findings suggest systemic negligence rather than targeted hacking, with officials relying on weak, reused passwords that eventually surfaced in breach dumps. Among the most concerning discoveries were 120 compromised records linked to defense personnel, some stemming from a 2023 NATO eLearning platform breach that exposed emails, passwords, and phone numbers. While much of the data dates back to 2021, new instances continue to emerge, with some recent infostealer logs indicating active device compromises as recently as last month. Password choices were particularly alarming. A colonel in "information security" used "FrankLampard" a reference to the former England footballer while a district director opted for "123456aA." Another senior official in Hungary’s NATO delegation used a password translating to "cute." Other examples included simple name-based passwords, easily guessable patterns, and credentials like "linkedinlinkedin" likely from the 2012 LinkedIn breach still in use. The root issue appears to be poor security hygiene: officials registered government emails on third-party services, then reused passwords across multiple platforms. Once those services were breached, the credentials spread through underground markets. The investigation also uncovered infostealer malware logs, suggesting some devices were actively compromised rather than just caught in old leaks. The incident underscores how basic security failures weak passwords, credential reuse, and unchecked third-party sign-ups can undermine even critical government functions. With no advanced hacking required, the breach highlights the persistent risks of human error in cybersecurity.