Extensive Email Compromise Targets Alliance Members
Hackers linked to Russian intelligence services have breached hundreds of military email accounts belonging to Romanian and Greek armed forces, including accounts at NATO airbases, according to cybersecurity investigators. The campaign, which ran from September 2024 to March 2026, compromised at least 284 email boxes, with the majority of targets in Ukraine but significant breaches within NATO member states. The operation was exposed after the hackers left an open server containing logs of their activities, a critical operational security failure.
Romanian Air Force and Greek Defence Staff Targeted
Investigators from cybersecurity firm Ctrl-Alt-Intel report that 67 email accounts belonging to the Romanian Air Force were infiltrated, including several on NATO airbases and at least one belonging to a high-ranking officer. Simultaneously, 27 inboxes at the Hellenic National Defence General Staff in Greece were compromised. The breaches represent a direct intrusion into the internal communications of key European defence structures and follow a pattern of Russian state-sponsored cyber espionage.
Attribution Points to Russian Military Intelligence
Analysts attribute the operation to the known Russian hacking group commonly referred to as Fancy Bear, which is associated with the Russian military intelligence agency GRU. Some cybersecurity experts, while agreeing the hackers have clear links to Moscow, express caution regarding the specific group identification. The campaign’s tactics align with long-term Russian cyber operations aimed at gathering authentication data and intelligence from government and military networks across Europe and beyond.
Campaign Aligns with Broader Global Hacking Network
The email breaches form part of a wider, ongoing global campaign detailed by the United States Department of Justice and the FBI in early April 2026. Those agencies stated that cyber actors from the Russian General Staff Main Intelligence Directorate’s 85th Special Service Centre have been exploiting vulnerabilities in home and office routers worldwide since at least 2024. The actors redirected internet traffic through their own servers to intercept passwords, authentication tokens, and email communications.
Strategic Aim to Destabilise NATO Cohesion
Security analysts assess that the systematic targeting of military communications is designed to gather sensitive information on defence processes and critical infrastructure. The long-term strategic goal is viewed as an attempt to destabilise NATO allies, undermine organisational resilience, and erode trust within the Alliance’s collective security system. Access to internal email traffic provides a pathway to intelligence that could be used to sow discord between partner nations.
Call for Enhanced Cyber Defences and International Cooperation
The scale and duration of the campaign highlight the systemic nature of Russian cyber operations, which involve significant planning and resources. In response, European security officials emphasise the urgent need to strengthen cyber defences at all levels, including implementing multi-factor authentication and regular software updates. Effective countermeasures are deemed to require deeper international cooperation, including intelligence sharing and coordinated security measures within the EU and NATO frameworks.
