Russia-linked hackers compromised more than 170 email accounts belonging to prosecutors and investigators across Ukraine over an 18-month span, according to data reviewed by Reuters and first uncovered by Ctrl-Alt-Intel, a collective of British and American cyber threat researchers. The campaign, attributed to the GRU-linked threat group Fancy Bear (APT28), also struck military and government targets in Romania, Greece, Bulgaria, and Serbia, bringing the confirmed total to at least 284 compromised inboxes between September 2024 and March 2026.
What Happened
Fancy Bear conducted a sustained credential-targeting operation against Ukrainian law enforcement email infrastructure, focusing on prosecutors and investigators responsible for corruption cases and identifying Russian collaborators inside Ukraine. The operation was exposed not by defenders but by the attackers themselves: the hackers left server-side logs and stolen data accessible on the open internet, an operational security failure that gave researchers direct visibility into the campaign's scope and success rate.
Ctrl-Alt-Intel discovered the exposed infrastructure and published initial findings in a March 2026 blog post. Reuters subsequently reviewed the underlying data and confirmed the identities of more than a dozen compromised European agencies and officials. Two independent researchers validated Ctrl-Alt-Intel's attribution, including Matthieu Faou of ESET, a firm with deep visibility into APT28 operations in Eastern Europe.
The campaign extended well beyond Ukraine. Victims in NATO member states Romania, Greece, and Bulgaria, as well as Serbia, had military and government email accounts compromised through the same infrastructure, indicating a broader intelligence collection mission across southeastern Europe.
What Was Taken
The exposed server contained thousands of stolen emails and operational logs documenting each successful compromise. Given the victim profile, the likely intelligence haul includes:
- Internal case files on corruption investigations and prosecutions of Russian collaborators within Ukraine
- Communications between prosecutors revealing investigative priorities, witness identities, and evidentiary strategies
- Cross-border coordination with European counterparts on war crimes or sanctions enforcement matters
- Military and government correspondence from NATO-adjacent targets in the Balkans and southeastern Europe
The precise volume of exfiltrated data has not been publicly quantified, but the 284 confirmed compromises over 18 months represent a significant and sustained collection effort.
Why It Matters
This campaign sits at the intersection of espionage and wartime counterintelligence. Ukraine's prosecutors are not conventional intelligence targets. They are the officials identifying and prosecuting individuals collaborating with Russia inside Ukrainian territory. Compromising their communications gives Moscow advance warning of investigations, insight into evidence-gathering methods, and the ability to tip off or extract assets before they are exposed.
The targeting of NATO-member prosecutors and military officials in Romania, Greece, and Bulgaria also signals that Russia's intelligence priorities extend to understanding how allied nations are coordinating on Ukraine-related enforcement and military posture in the Black Sea region.
For defenders, the exposed infrastructure is a rare gift. Operational logs from a state-sponsored campaign provide ground truth on targeting patterns, success rates, and technique evolution that is almost never available at this fidelity.
The Attack Technique
While the full technical chain has not been publicly detailed, Fancy Bear's established playbook and the nature of the compromises point to credential phishing as the primary intrusion vector. APT28 has a well-documented history of:
- Spearphishing emails crafted to impersonate legitimate login portals for government webmail systems
- Credential harvesting pages hosted on attacker-controlled infrastructure, often using typosquatted or lookalike domains
- OAuth token abuse against cloud-based email platforms, allowing persistent access without needing the victim's password after initial authorization
- Exploitation of email platform vulnerabilities, as seen in past APT28 campaigns against Roundcube and Zimbra deployments common in government environments
The scale of the operation (284 accounts across multiple countries) suggests an automated or semi-automated phishing pipeline rather than bespoke, one-at-a-time targeting. The operational logs left on the exposed server likely contain the specific lure content and infrastructure details, which researchers may publish in subsequent reporting.
Who Is Fancy Bear
Fancy Bear, also tracked as APT28, Sofacy, Sednit, Forest Blizzard, and STRONTIUM, is attributed to Unit 26165 of Russia's GRU (Main Intelligence Directorate). The group has been active since at least 2004 and is one of the most prolific state-sponsored cyber espionage actors globally. Notable past operations include the 2016 Democratic National Committee breach, targeting of the Organization for the Prohibition of Chemical Weapons (OPCW), and persistent campaigns against European defense and government institutions. The U.S. Department of Justice has indicted GRU officers tied to Unit 26165 by name.
What Organizations Should Do
- Audit email access logs for anomalous login locations, unusual OAuth grants, and mail forwarding rules that could indicate silent exfiltration. Prosecutors and legal agencies in Ukraine and NATO countries should treat this as an active threat.
- Enforce phishing-resistant MFA such as hardware security keys (FIDO2/WebAuthn) on all email accounts. SMS and app-based OTP codes remain vulnerable to real-time phishing proxies that APT28 is known to deploy.
- Hunt for known APT28 infrastructure indicators published by Ctrl-Alt-Intel and cross-reference with your DNS, proxy, and email gateway logs going back to September 2024.
- Restrict OAuth application consent to pre-approved applications only. Disable user self-service OAuth grants for government email tenants to prevent token-based persistence.
- Conduct targeted awareness training for prosecutors, investigators, and legal staff, emphasizing that credential phishing campaigns will impersonate the exact webmail portals they use daily.
- Segment and encrypt sensitive case files so that email compromise alone does not yield full access to investigative materials, witness identities, or classified evidence.