Romania's Defense Ministry confirmed on April 15, 2026 that Russia-linked threat actors compromised at least 67 Romanian Air Force email accounts as part of a wider campaign that breached 284 inboxes across Ukraine, Bulgaria, Greece, Serbia, and Romania between September 2024 and March 2026. The intrusion was first detected by Romanian authorities in March 2025 and reportedly contained within 24 hours.

What Happened

Researchers at Ctrl-Alt-Intel, a British-American cyber threat collective, discovered the operation after the attackers themselves accidentally exposed stolen data on the open internet. Reuters and independent researchers subsequently verified the findings. The campaign targeted military and prosecutorial bodies across NATO's eastern flank and Ukraine, with Romanian Air Force accounts representing one of the largest single-victim clusters outside Ukraine. Romania's Defense Ministry (MApN) acknowledged the breach publicly, citing Agerpres, and stated that cybersecurity functions were fully centralized under the ministry beginning in March 2026 to prevent recurrence.

What Was Taken

At least 67 Romanian Air Force mailboxes were accessed. According to MApN, the compromised accounts held only unclassified data used for routine administrative correspondence and the circulation of publicly available information. The ministry asserts that no classified material was accessible or exfiltrated from these inboxes. Across the broader campaign, at least 284 email accounts were breached, including those of Ukraine's Specialized Defense Prosecutor's Office, the Asset Recovery and Management Agency of Ukraine (ARMA), the Prosecutors' Training Center in Kyiv, and more than a dozen additional European agencies and officials.

Why It Matters

The campaign demonstrates a sustained Russian intelligence interest in NATO's southeastern flank, particularly states bordering Ukraine and the Black Sea. Even unclassified administrative mail provides adversaries with organizational charts, personnel rosters, logistics patterns, vendor relationships, and travel schedules — all valuable for follow-on targeting, social engineering, and counterintelligence operations. The simultaneous targeting of Ukrainian anti-corruption and asset-recovery bodies suggests a dual objective: degrading Ukraine's wartime accountability institutions while mapping NATO military adjacencies. The accidental data exposure by the attackers themselves is a rare operational security failure that gave defenders unusually clear visibility into victim selection.

The Attack Technique

Specific initial access vectors have not been publicly attributed in the disclosed reporting. The 18-month operational window (September 2024 through March 2026) and the volume of compromised mailboxes are consistent with credential-based intrusions against cloud or hosted email environments, typical of Russia-aligned espionage clusters that rely on phishing, password spraying, token theft, and abuse of legacy authentication protocols. The hackers maintained access long enough to harvest substantial mailbox content before their own infrastructure leaked the stolen data publicly.

What Organizations Should Do

Sources: Reuters: Russian hackers gained access to dozens of Romanian Air Force emails | Romania Insider