Exposed Infrastructure Reveals How FancyBear Operated Against Government and Military Webmail
What Happened
Recent research into exposed attacker infrastructure has provided an unusually detailed view into a campaign linked to FancyBear, also tracked as APT28 and Forest Blizzard. The findings suggest that the operation targeted government and military webmail environments across several countries, including Ukraine, Romania, Greece, Serbia, and Bulgaria.
The exposed server reportedly contained command-and-control components, phishing pages, JavaScript payloads, telemetry logs, and stolen data, giving rare visibility into both the techniques and operational mistakes behind the campaign.
Victim Scope
The analysis highlights a focused victim profile rather than random targeting. Reported affected entities include:
- Ukraine (175 victims): regional prosecutors, government mail systems, asset recovery agencies
- Romania (67 victims): primarily the Romanian Air Force and academy
- Greece (30 victims): national defence structures and military entities
- Serbia (8 victims): Ministry of Defence and military institutions
- Bulgaria (4 victims): government-related accounts
The concentration around government and defence-related entities indicates structured targeting aligned with intelligence objectives.
What the Operation Involved
The campaign combined multiple techniques against webmail platforms such as Roundcube and SquirrelMail. Observed capabilities include:
- credential theft through phishing and in-browser execution
- theft of TOTP secrets and recovery codes
- mailbox exfiltration from Inbox and Sent folders
- address book harvesting
- creation of email forwarding rules for persistent access
In some cases, opening a malicious email was sufficient to trigger the attack within an already authenticated session.
Geopolitical Context
The selection of targets appears to reflect regional security dynamics rather than opportunistic activity.
Several affected countries have direct or indirect roles in supporting Ukraine or NATO operations:
- Romania, Bulgaria, and Greece are part of a regional military mobility initiative aimed at strengthening NATO’s eastern flank
- Greece has participated in training Ukrainian pilots as part of F-16 coalition efforts
- Serbia maintains a more complex position but remains relevant in regional supply and political dynamics
The timeline of the campaign, starting in late 2024 and continuing into 2026, aligns with ongoing geopolitical developments, suggesting deliberate and sustained intelligence collection rather than isolated incidents.
Why This Matters
This case provides rare visibility into how a long-running espionage operation functions in practice. It also shows that even well-resourced threat actors can introduce exposure through operational mistakes, such as leaving infrastructure accessible.
The persistence of the same infrastructure over time reinforces the importance of monitoring beyond initial attribution.
CISO Analysis
From a CISO perspective, this case shifts focus from endpoint compromise to control over communication platforms. Webmail access enables attackers to observe, manipulate, and persist without triggering traditional alerts.
Key takeaways:
- treat webmail systems as critical assets, not auxiliary services
- monitor mailbox behavior, not just login events
- detect abnormal forwarding rules and data access patterns
- strengthen controls around session-based attacks and plugins
For regulated sectors and public institutions, mailbox access effectively becomes strategic access.
DIAMATIX Perspective
This case reinforces that email remains one of the most valuable operational assets in any organization. It provides not only communication access but also visibility into relationships, workflows, and internal context.
What stands out is not only the capability of the attacker, but the reliance on repeatable patterns: webmail exploitation, credential harvesting, and silent persistence mechanisms.
Detection must extend beyond access. It should include:
- configuration changes inside accounts
- abnormal data extraction patterns
- hidden persistence mechanisms such as forwarding rules
The risk is not only the initial compromise, but the continued visibility it provides to the attacker.
Conclusion
The exposure of FancyBear infrastructure offers a rare operational view into an active espionage campaign. More importantly, it highlights that consistent monitoring of behavior and configurations can reveal even long-running and structured attacks.
Sources
Ctrl-Alt-Intel. Public analysis of exposed infrastructure linked to FancyBear
Hunt.io. Prior reporting on the same campaign cluster
CERT-UA. Advisories related to Roundcube exploitation and ClickFix delivery
ESET. Operation RoundPress reporting
