A group of independent cybersecurity researchers says it has uncovered evidence that the Russian-linked hacking group APT28 (Fancy Bear) compromised Serbian state institutions. The discovery was made after the group gained access to servers used by APT28.
According to Ctrl Alt Intel’s findings, at least six email accounts within Serbia’s Ministry of Defense were compromised, as well as accounts from the Military Academy and the Military Medical Academy. The attackers reportedly bypassed two-factor authentication and, in several cases, set up automatic email forwarding, allowing them to monitor incoming communications undetected.
The researchers say the breach may have been ongoing since October 2024, though the exact timeline remains unclear due to a lack of timestamps in the recovered data. Some accounts could still be compromised, Ctrl Alt Intel notes.
APT28 is a state-sponsored hacker group believed to be linked to Russia’s military intelligence service, the GRU. The group has a long history of targeting governments, NGOs, and institutions worldwide, often using spear phishing techniques to gain access to sensitive systems.
Serbia’s Ministry of Defense has not responded to the claims. The national cybersecurity authority says it has no information about the attack. By Serbian law, such incidents must be reported to data protection authorities, but this does not seem to have been done.