Russia-linked hackers compromised 27 email inboxes managed by the Hellenic National Defense General Staff, Greece's top military body, according to data reviewed by Reuters. The intrusion touched defense attaches posted abroad and public-facing military offices, and was uncovered after the attackers themselves inadvertently exposed the stolen data to the open internet.

What Happened

Twenty-seven email accounts tied to Greece's Hellenic National Defense General Staff (HNDGS) were breached by operators linked to Russia. The compromise was not discovered through internal detection. Instead, the attackers leaked their own haul to the public internet through a misconfigured staging infrastructure, where it was spotted by Ctrl-Alt-Intel, a collective of British and American cyber threat researchers. Reuters subsequently reviewed the exposed dataset and confirmed the link to HNDGS mailboxes.

What Was Taken

The breached inboxes span both operational and administrative functions of the Greek military. Confirmed victims include:

Defense attache correspondence typically carries diplomatic-military traffic, host-nation liaison notes, and sensitive postings data. The Mental Health Center mailbox, while public-facing, is a known channel for service-member personal disclosures, making any exposure a counterintelligence concern.

Why It Matters

A compromise of the top-level Greek military headquarters email environment is a strategic intelligence loss for a NATO member state. Defense attache inboxes are high-value targets for foreign services because they contain pattern-of-life data, reporting cables, and relationship maps across allied and partner militaries. The Bosnia posting is particularly sensitive given active Russian interest in the Western Balkans, while the India channel touches defense-industrial and procurement dialogue. The exposure of a mental health intake mailbox also creates a coercion and recruitment vector against individual personnel.

The Attack Technique

Attribution points to a Russia-linked actor, consistent with known GRU- and SVR-aligned tradecraft targeting European defense ministries through credential theft, spearphishing, and abuse of cloud email exposure. The discovery vector is the most operationally telling detail: the threat actor staged stolen data on infrastructure that was reachable from the open internet, allowing Ctrl-Alt-Intel researchers to collect it without access to Greek networks. This is a recurring operational security failure across Russia-linked clusters in recent years, where exfiltration servers and attacker-controlled buckets have been left indexable.

What Organizations Should Do

  1. Audit mailbox access logs for defense attache, liaison, and diplomatic-adjacent accounts for unusual IMAP, OAuth token, or legacy protocol authentications over the past 12 months.
  2. Enforce phishing-resistant MFA (FIDO2 or certificate-based) on all military and diplomatic mailbox identities, and disable basic authentication and app passwords.
  3. Treat public-facing intake inboxes (mental health, ombuds, ethics) as sensitive tier assets, not low-risk shared mailboxes, and apply DLP and retention controls accordingly.
  4. Hunt for exfiltration staging: query egress telemetry for large outbound transfers to cloud storage, file-sharing, and VPS providers commonly abused by Russia-linked actors.
  5. Rotate credentials, session tokens, and delegation grants across any tenant touching the affected accounts, and review mailbox forwarding rules for attacker-planted persistence.
  6. Coordinate with national CERT and NATO CCDCOE to share IOCs and correlate with parallel intrusions across allied defense ministries.

Sources: Russia-linked hackers breached 27 email accounts at Greek military headquarters | eKathimerini.com