Traces of the Russian hacker group "Fancy Bear", which according to American and British institutions is linked to the Russian military intelligence service GRU, have been discovered in the Serbian Ministry of Defense, the Military Academy and the Military Medical Academy (VMA).
Independent cybersecurity group Ctrl Alt Intel announced that in mid-March it managed to access the Russian group's server files. Their analysis showed that the hackers had obtained data from the email addresses of three Serbian state institutions.
The Serbian Ministry of Defense has not commented on the incident to date. The attack was also not reported to the Commissioner for Public Information and Personal Data Protection, as required by Serbian law.
According to Ctrl Alt Intel, hackers took control of six email accounts at the Ministry of Defense, including two-step verification, and four of them had automatic email forwarding enabled, allowing all future communication to be tracked. It is not known exactly when the attack occurred, but there is a possibility that some accounts are still compromised.
“Fancy Bear” has been active for more than 10 years and is also known as “APT28” or “Forest Blizzard.” According to the British National Cyber Security Center, the group is part of the GRU. In 2018, 12 GRU officers were indicted by the US Department of Justice for cyberattacks on the Democratic National Committee and Hillary Clinton’s campaign.
The group typically attacks governments, non-governmental organizations, universities, and technology companies in countries such as the US, Canada, Australia, India, Ukraine, Israel, and Japan.
“Fancy Bear” often uses the “spear phishing” technique, sending messages that appear to come from trusted individuals, to trick victims into opening malicious files and allowing access to their systems. From Serbia, hackers were able to contact European military institutions through compromised emails.
According to the report, 248 contacts were received from the accounts of the Ministry of Defense and the Military Academy, including communications with European military structures.
Russian hackers were also interested in Serbia because of allegations of arms exports to Ukraine. According to the Russian Foreign Intelligence Service (SVR), several Serbian companies continued to export ammunition to Ukraine using forged documents and intermediaries.
Serbian President Aleksandar Vučić has denied some of the SVR's claims and discussed the issue with Russian President Vladimir Putin in May 2025. Following these reports, Serbia temporarily banned the export of some ammunition. /REL
t7 live
