Russian-linked threat actors compromised at least 67 email accounts belonging to the Romanian Air Force as part of a broader espionage campaign targeting NATO and Balkan military and law enforcement institutions. Romania's Defense Ministry confirmed the breach on April 15, 2026. The operation, which ran from September 2024 through March 2026, compromised a total of 284 inboxes across Romania, Ukraine, Bulgaria, Greece, and Serbia, according to data analyzed by Reuters and the Ctrl-Alt-Intel research collective.

What Happened

Between September 2024 and March 2026, hackers with ties to Russia systematically breached email accounts across multiple Eastern European and Balkan nations. The campaign's scope was first revealed when the attackers themselves accidentally exposed operational data on the open internet. Ctrl-Alt-Intel, a collective of British and American cyber threat researchers, discovered the leak and published initial findings on their blog. Reuters subsequently verified the data with independent researchers.

Romanian authorities first detected the intrusion in March 2025 and say they isolated the compromised accounts within 24 hours. The broader campaign also targeted Ukraine's Specialized Defense Prosecutor's Office, a wartime anti-corruption body; Ukraine's Asset Recovery and Management Agency (ARMA), which manages assets seized from Russian collaborators; and the Prosecutors' Training Center in Kyiv. More than a dozen European agencies and officials were compromised in total.

What Was Taken

Romania's Defense Ministry stated that the 67 compromised Air Force email accounts contained no classified data. According to the ministry, the accounts were used strictly for administrative activities and circulation of public information: "The targeted data were unclassified, used routinely for administrative activities and for the circulation of public information, so there was no possibility of accessing or exfiltrating classified data."

However, unclassified military email still carries significant intelligence value. Administrative correspondence can reveal personnel names and roles, unit organizational structures, operational tempo, logistics details, scheduling patterns, and internal communication norms. For a sophisticated adversary, this metadata is raw material for social engineering, spear-phishing, and building target profiles for future intrusions deeper into classified networks.

The Ukrainian targets are arguably more sensitive. Access to the Defense Prosecutor's Office could expose active counterintelligence investigations and the identities of individuals suspected of spying for Russia within the Ukrainian military.

Why It Matters

This campaign underscores several strategic realities for defenders across NATO's eastern flank. First, Russia-linked cyber operations continue to treat the broader Black Sea and Balkan region as a unified target set. Romania, Bulgaria, Greece, and Serbia were hit alongside Ukraine, suggesting the actors view NATO-adjacent nations as part of the same intelligence collection priority.

Second, the compromise of wartime anti-corruption and counterintelligence bodies in Ukraine is operationally dangerous. If investigators' communications were exposed, active cases against Russian agents inside Ukraine's military could be burned, and sources could be identified and targeted.

Third, the attackers' own operational security failure, accidentally exposing their collected data, is a reminder that even state-linked groups make mistakes. Defenders and researchers should actively hunt for inadvertently exposed adversary infrastructure and exfiltrated data sets.

The Attack Technique

Specific technical details of the initial access vector have not been publicly disclosed. The scale of the operation (284 inboxes across multiple countries and agencies) and the targeting of email accounts specifically suggest a credential-based campaign, likely involving spear-phishing, credential harvesting via spoofed login pages, or exploitation of email platform vulnerabilities.

The 18-month operational window (September 2024 to March 2025 detection in Romania) indicates the actors maintained persistent access and expanded their footprint methodically. The geographic and institutional diversity of victims points to either a shared infrastructure vulnerability, such as a common webmail platform, or a well-resourced team running parallel phishing operations tailored to each target organization.

Romania's post-incident decision to fully centralize cybersecurity under the Defense Ministry suggests that fragmented security oversight across military branches may have contributed to the breach.

What Organizations Should Do

Organizations in NATO and partner nations, particularly military, law enforcement, and judicial bodies in Eastern Europe, should take the following steps:

Sources: Reuters: Russian hackers gained access to dozens of Romanian Air Force emails | Romania Insider