Major security breach: Romanian Air Force accounts hacked by Russian military hackers

At least 67 Romanian Air Force email accounts have been compromised, including some associated with NATO air bases, following cyberattacks carried out by the Russian military hacker group Fancy Bear, according to an article published yesterday by Reuters, which cites an analysis by Ctrl-Alt-Intel, according to which the cyberattacks took place between September 2024 and March 2026. The Ministry of National Defense stated yesterday, through a press release, that, of the 67 email accounts targeted by Russian hackers in March 2025, only 30 email addresses were compromised, the other attacks being repelled by the Romanian Army's cyber defense. In addition, the MApN claims that those email addresses would not have been used to transmit classified information, but would have been used rather for administrative matters within the ministry. Following these cyberattacks, the entire cyber defense procedure has been centralized, meaning that the Ministry of National Defense is directly responsible for protecting this data, a measure that came into force last month.

In Romania, the seriousness of the situation is amplified by the fact that the targets come from the Air Force, the structure responsible for protecting airspace and coordinating air defense, an essential area in the context of the war in Ukraine and tensions in the Black Sea region. The fact that some of the accounts belong to NATO bases raises the stakes to a higher level, transforming the incident into not only a national but also an allied problem.

The context of these attacks is already tense. Recently, President Nicuşor Dan warned that Russia is intensifying hybrid warfare against Western states, including using cyber tools to destabilize institutions and gain strategic advantages. He announced that the Romanian Intelligence Service, in collaboration with the FBI and other services from 15 states, managed to thwart a major cyberattack orchestrated from Moscow.

International investigations indicate that this global campaign was coordinated by a GRU unit and exploited vulnerabilities in commonplace devices, such as routers used in homes and offices, transformed into espionage tools capable of collecting sensitive data without being detected.

"Russia continues its hybrid war against Western countries and only those with bad faith do not see this. Romania must improve its cybersecurity and continue to collaborate with Western partners,” declared President Nicuşor Dan, in a warning that takes on dramatic relevance in the context of these attacks.

However, the revelations published by the cited source outline a much broader and more worrying picture, in which Romania is just one piece of a regional puzzle carefully orchestrated by Russian military intelligence services. The operation was not limited to Romania. Data shows that, in Greece, hackers managed to compromise 27 email accounts managed by the General Staff of the Hellenic National Defense, the country's most important military structure. Among the victims are the Greek military attaches in India and Bosnia, as well as the public mailbox of the Joint Armed Forces Mental Health Center, a detail that shows that the attackers did not only target strictly operational areas, but also infrastructure related to the military system.

In Bulgaria, the attacks targeted at least four email accounts belonging to local officials in the strategically important Plovdiv province, where Russian interference was suspected of disrupting satellite navigation services just before a visit by the President of the European Commission, Ursula von der Leyen. This detail suggests a deliberate synchronization of the attacks with politically sensitive moments, which amplifies the geopolitical dimension of the operation.

Serbia was not spared either, although it is considered a traditional ally of Moscow. The hackers targeted academics and military officials here, a sign that the objective is not only to destabilize opponents, but also to monitor and influence states in Russia's strategic interest zone.

The hardest hit, however, remains Ukraine, where over 170 email accounts of prosecutors and investigators were compromised. The targets were not chosen at random: they are officials involved in combating corruption and identifying pro-Russian collaborators, which indicates a clear attempt to infiltrate and sabotage the internal security and justice mechanisms of the Ukrainian state.

In total, researchers from Ctrl-Alt-Intel estimate that at least 284 email accounts were compromised between September 2024 and March 2026, in an operation attributed to the "Fancy Bear" group, associated with the military intelligence service of the Russian Federation, the GRU. The information came to light after hackers exploited accidentally leaked data on the internet, providing a rare glimpse into the true scale of this espionage campaign.

The overall picture is clear and unsettling: from Bucharest to Athens, from Kiev to Plovdiv to Belgrade, the same fingerprint points to a coordinated, persistent and sophisticated offensive, targeting not just IT infrastructures but the very security architecture of Europe. In this invisible war, every hacked account can mean an open door to strategic information, and every exploited vulnerability becomes a pawn in a geopolitical game where the stakes are much higher than they first appear.