Russian-affiliated hackers have compromised at least 67 email accounts of the Romanian Air Force.
According to an analysis by Reuters published on Wednesday, based on data accidentally exposed online by attackers, the operation is part of a broader cyber espionage campaign that has primarily targeted Ukraine, but also other countries in the region, including Greece, Bulgaria, and Serbia.
67 compromised accounts, including at NATO bases
Data analyzed by Reuters shows that hackers breached the email infrastructure of the Romanian Air Force, compromising at least 67 accounts.
Among these are addresses associated with NATO air bases, as well as the account of a senior officer, raising questions about the security of military communications.
MoD's Reaction: the attack was quickly isolated
In a press release issued on Wednesday afternoon, the Ministry of National Defense claims that the security incident was identified as early as March 2025 and targeted "several dozen email addresses," while around 30 other compromise attempts failed.
According to the MoD, the breach was detected and isolated in less than 24 hours, and the targeted data were unclassified, used for administrative activities and public information, with no risk of accessing sensitive information.
The institution specifies that starting from March 2026, cybersecurity has been centralized, and the infrastructure is constantly monitored to prevent similar incidents.
Ukraine, the main target: hundreds of prosecutors and investigators targeted
However, the majority of the Russian hackers' operation targeted Ukraine, where over 170 email accounts of prosecutors and investigators were breached in recent months.
Data shows that attackers compromised a total of at least 284 accounts between September 2024 and March 2026.
The targets include key institutions involved in combating corruption and identifying Russia's collaborators, such as the specialized defense prosecutor's office, the Agency for Asset Recovery (ARMA), or the Anti-Corruption Prosecutor's Office (SAPO).
A "huge blunder" by hackers exposed the operation
The information was discovered by Ctrl-Alt-Intel, a group of British and American cybersecurity researchers, after hackers left sensitive data exposed online.
On their servers, logs of successful attacks and thousands of stolen emails were found.
“They made a huge operational blunder. They left their front door wide open,” explained the researchers.
Attacks attributed to Russia
Cybersecurity experts attribute the campaign to hackers affiliated with Moscow, with the group "Fancy Bear," associated with Russian military services, being the most frequently mentioned.
Other experts confirm the link to Russia but are unsure about the direct involvement of this group.
The goal was either to monitor investigators probing Russian espionage networks or to obtain compromising information about high-ranking officials, including those in President Volodymyr Zelensky's administration.
Extensive espionage in NATO and the Balkans
The operation was not limited to Ukraine and Romania. In Greece, 27 accounts of the General Staff of Defense, including those of military attaches, were compromised. In Bulgaria, hackers targeted local officials in the Plovdiv region, and in Serbia – considered close to Moscow – accounts of military personnel and academics were attacked.
The context is sensitive: in Bulgaria last year, there were suspicions of Russian interference ahead of a visit by the President of the European Commission, Ursula von der Leyen.
An expert cited by Reuters warns that closeness to Moscow does not provide protection: "A relationship considered close to Russia is not a guarantee against espionage."
Experts say that the discovered data represents only a fraction of Russia's espionage operations.
A recent precedent
Last Wednesday, President Nicușor Dan and the US Department of Justice announced the dismantling of a large-scale cyber operation, following a coordinated action by the FBI with institutions from 15 states, including the Romanian Intelligence Service.
According to the SRI, the Russian military intelligence service GRU compromised "a wide range of entities globally, including in Romania," focusing particularly on critical infrastructures and information in the military and governmental sectors.