Serbian Ministry of Defense targeted by Russian state hackers

Traces of the Russian hacker group "Fancy Bear", which American and British state institutions link to the Russian military intelligence service GRU, have been found in the Serbian Ministry of Defense, the Military Academy and the Military Medical Academy (VMA).

A group of internationally connected independent cybersecurity experts, "Crtl Alt Intel", announced that in mid-March they managed to access folders on the server of a Russian hacking group.

According to the data they shared, they found evidence on the servers that, among other things, Russian hackers were collecting data from email addresses from three Serbian state institutions.

By the time of publication of this text, the Serbian Ministry of Defense had not responded to inquiries from Radio Free Europe (RSE) from Thursday, March 19, regarding the information that the institution's data had been compromised.

The cyber attack was not reported to the Commissioner for Information of Public Importance and Personal Data Protection, as required by Serbian law.

In a letter to RFE/RL, the national CERT of the Republic of Serbia, the central body responsible for preventing, protecting and responding to security risks in information systems, also stated that it has no data on this attack.

The report by the organization "Crtl Alt Intel" states, however, that the data they obtained shows that it is possible to identify six different Ministry of Defense email accounts that were hacked, and where the attackers managed to access protection for additional login confirmation (so-called two-step verification).

Four accounts had automatic email forwarding set up to other addresses, so the attackers could monitor all incoming mail, the organization said.

The available data is not date-stamped, so it is not possible to determine when the initial attack occurred.

"This could have been going on since October 2024. There is a possibility that these email addresses are still compromised and are still forwarding emails to 'FancyBear' addresses today," Ben Folland, a researcher at the organization "Ctrl Alt Intel," told RFE/RL.

Who is behind the Russian hacker group 'Fancy Bear'?

"Fancy Bear" is a hacker group that has been active for at least 10 years. They are known by several names, including "APT28" and "Forest Blizzard", as they are referred to in their databases by the technology company Microsoft.

The British government's National Cyber ​​Security Center estimates in its research that "'APT28' is almost certainly part of the Main Intelligence Directorate (GRU) of the General Staff of Russia."

Members of this hacking group were directly identified as GRU officers in an indictment filed by the US Department of Justice in 2018 against 12 GRU members for hacking the Democratic National Committee, the Democratic Congressional Committee, and the election campaign of US presidential candidate Hillary Clinton.

As stated on the Microsoft website, this Russian hacker group typically attacks governments, non-governmental organizations, IT companies and universities, and attacks have been recorded in the United States, Australia, Canada, India, Ukraine, Israel and Japan.

Through Serbian institutions to European military structures

One of the ways in which this group operates has been identified as entering information systems through so-called spear phishing.

It is a targeted messaging method in which the attacker tailors the message to appear to come from a trusted person or organization, often using the victim's personal information.

The goal is to trick the victim into downloading a malicious file and providing access to systems from which the attackers then download content from internal servers.

When it comes to the attack on Serbian state institutions, experts from the "Ctrl Alt Intel" group identified six compromised email accounts within the Ministry of Defense itself and one each from the Military Academy and the Military Medical Academy systems.

248 contacts were collected with whom communication was made from these email accounts.

"These Serbian Ministry of Defense email addresses were used to contact other addresses, including several within the Serbian Ministry of Defense itself, as well as European military and defense structures. 'FancyBear' managed to extract contact lists from its initial targets in the Serbian Ministry of Defense in order to obtain this data," explains Ben Folland of the organization "Crtl Alt Intel".

Interest in Serbia due to allegations of arms exports to Ukraine

The "Fancy Bear" hacker group works in cooperation with another group known as "Midnight Blizzard" in some attacks, which could be seen during the forensic analysis of the hacker attack on the Serbian non-governmental organization Belgrade Center for Security Policy last fall.

In that attack, hackers accessed part of the archive and read more than 28 email correspondence from a Serbian organization that has been monitoring security sector reforms for almost 25 years and is actively involved in communication with numerous European institutions.

The US and UK governments link "Midnight Blizzard" to the Foreign Intelligence Service of the Russian Federation (SVR).

Serbia was the subject of SVR interest during May and June 2025, when two statements were issued with sharp criticism over claims that Belgrade was exporting ammunition to Ukraine.

What information did the Russian service provide?

"According to information received by the SVR, Serbian defense companies, despite Belgrade's declared 'neutrality', continue to deliver ammunition to Kiev. A simple scheme involving forged end-user certificates and intermediary countries serves as a cover for these anti-Russian activities," the Russian service announced on May 28, 2025.

The statement also lists intermediary countries, as well as Serbian companies that export, such as Jugoiport SDPR, Zenitprom, Krušik, Sofag, Reyer DTI, Sloboda, Prvi Partizan.

Serbian President Aleksandar Vučić said at the time that he had discussed Serbian arms exports to Ukraine with Russian leader Vladimir Putin during a visit to Moscow on May 9, and that he denied some of the SVR's allegations.

"We have formed a working group, together with Russian partners, to establish the facts. Some of the things said are not true," Vučić said at the time.

A month later, another statement from the Russian SVR followed.

"According to information received, Valjevo's 'Krušik' recently sold several large batches of 122 mm rocket assembly kits to the Czech company 'Poličské strojírny'. The defense company 'Eling' from Loznica delivered production kits for the same rockets, as well as mines for 120 mm mortars, to the Bulgarian company 'EMKO'," the Russian service stated on June 23, 2025.

The President of Serbia then responded by halting the export of ammunition from Serbia.

"Since we saw it, (ammunition) has appeared in Ukraine, it has appeared from both sides, both sides are complaining. If I could change something, I can only do it this way - to say, all ammunition for a while only in our barracks," Vučić said.

Precise data on what weapons and military equipment and in what quantities Serbia exports to Ukraine, Israel and other countries are not publicly available, and in recent years the relevant ministry has not published annual reports on issued export licenses on its website.

Who was the target of the attack?

"FancyBear" successfully compromised government and military entities across Ukraine, Romania, Bulgaria, Greece, Serbia and North Macedonia - including email addresses linked to four NATO member countries, according to a report by Crtl Alt Intel.

More than 2.800 emails extracted from government and military bases were found on the hacking group's servers. More than 240 sets of user data were stolen, including passwords and two-factor authentication codes, and 140 addresses were silently redirected to an email address controlled by the attackers, the report said.

More than 11.500 email addresses were extracted from the victims' address books, mapping out entire communication networks, added "Crtl Alt Intel."

( Radio Free Europe )