FancyBear’s Operational Security Lapse Unveils Extensive Espionage Campaign Targeting European Governments and Military
In a significant operational security oversight, the Russian state-affiliated hacking group known as FancyBear has inadvertently exposed a comprehensive espionage campaign aimed at European governmental and military entities. This revelation offers an unprecedented glimpse into the group’s clandestine activities and methodologies.
On March 11, 2026, threat intelligence firm Hunt.io disclosed findings from an operation they have designated as Operation Roundish. This operation was uncovered through an open-directory that was first identified on January 13, 2026. FancyBear, also recognized by aliases such as APT28, Forest Blizzard, and Sednit, is believed to be associated with Russia’s GRU Military Intelligence Unit 26165, as per assessments by the UK’s National Cyber Security Centre (NCSC).
The campaign, which initially focused on exploiting webmail systems, had been covertly active for over a year. The inadvertent exposure occurred due to a misconfigured server—a NameCheap Virtual Private Server located in the United States, operating under the IP address 203.161.50.145. Notably, this server had been publicly linked to FancyBear by Ukraine’s CERT-UA as early as September 2024. Despite this attribution, the group continued to utilize the same infrastructure for more than 500 days without making any changes.
The open-directory provided a trove of sensitive data, including:
– 2,800 exfiltrated emails from government and military accounts.
– 240 sets of stolen credentials, encompassing passwords and Time-based One-Time Password (TOTP) two-factor authentication (2FA) secrets.
– 140 covert email-forwarding rules.
– 11,500 contact addresses harvested from victims’ address books across multiple targeted nations.
Further analysis by Ctrl-Alt-Intel revealed an additional exposed open-directory on the same server, which was not captured in Hunt.io’s initial archive. This directory contained FancyBear’s complete command-and-control source code, supplementary JavaScript payloads, campaign telemetry logs, and more exfiltrated data, offering a near-complete overview of the entire operation.
The victims of this campaign spanned several countries, including Ukraine, Romania, Bulgaria, Greece, Serbia, and North Macedonia. Email addresses associated with four NATO member states, including NATO’s own headquarters infrastructure, were recovered directly from the stolen contact data.
The targeting pattern was evidently strategic. Ukrainian regional prosecutors, likely involved in war crimes investigations, constituted the largest victim group. Other compromised entities included Romania’s Air Force, Greece’s National Defence General Staff, Serbia’s Ministry of Defence, and various Bulgarian government bodies. Notably, Romania, Bulgaria, and Greece had entered into a military mobility agreement in July 2024, and Greece had been involved in training Ukrainian F-16 pilots. These factors strongly suggest that the target selection was intelligence-driven rather than opportunistic.
Exploitation of Two-Factor Authentication (2FA):
One of the most alarming technical discoveries in this campaign was FancyBear’s method for covertly extracting TOTP-based 2FA secrets from victims who believed their accounts were secure. The group deployed a JavaScript module named `keyTwoAuth.js`, which operated entirely within the victim’s authenticated Roundcube webmail session. This approach required no additional actions or separate logins from the target.
Upon activation of the cross-site scripting (XSS) payload, `keyTwoAuth.js` sent an HTTP request to Roundcube’s 2FA settings page for the `twofactorgauthenticator` plugin. It then parsed the returned HTML, extracted five hidden password fields—comprising one TOTP secret and four recovery codes—encoded the information in base64, and discreetly transmitted the data to FancyBear’s command-and-control server at `zhblz.com` using the log prefix `ktfu`.
With access to both the victim’s password and TOTP secret, FancyBear could generate valid 2FA codes, effectively bypassing the additional security layer without the victim’s knowledge. This method underscores the group’s advanced capabilities in circumventing standard security measures.
Implications and Recommendations:
The exposure of FancyBear’s server and the subsequent analysis of their operations provide critical insights into the group’s tactics, techniques, and procedures. The deliberate targeting of specific governmental and military entities highlights the strategic nature of their espionage activities.
Organizations, particularly those in the government and defense sectors, should take the following steps to mitigate such threats:
1. Enhance Security Awareness: Educate employees about the risks of phishing and social engineering attacks, which are often the initial vectors for such intrusions.
2. Implement Robust 2FA Mechanisms: While TOTP-based 2FA is widely used, consider adopting hardware-based security keys or biometric authentication methods that are less susceptible to remote exploitation.
3. Regular Security Audits: Conduct periodic reviews of webmail and other critical systems to identify and remediate vulnerabilities, such as XSS flaws, that could be exploited by attackers.
4. Monitor for Anomalous Activities: Deploy advanced threat detection systems to monitor for unusual behaviors, such as unauthorized email-forwarding rules or unexpected access patterns.
5. Incident Response Planning: Develop and regularly update incident response plans to ensure swift action can be taken in the event of a security breach.
By adopting these measures, organizations can bolster their defenses against sophisticated adversaries like FancyBear and safeguard sensitive information from unauthorized access.
