A significant operational security lapse by the Russian state-sponsored hacking group known as FancyBear has provided an unprecedented glimpse into an espionage campaign targeting government and military bodies across Europe. The incident exposes their strategies and targets, offering a rare insight into the group’s ongoing activities.
Exposed Operations and Initial Discoveries
On March 11, 2026, Hunt.io, a threat intelligence firm, disclosed details of Operation Roundish. This campaign was identified through an unsecured open-directory first detected on January 13, 2026. FancyBear, also referred to as APT28, Forest Blizzard, and Sednit, is associated with Russia’s GRU Military Intelligence Unit 26165, according to the UK’s NCSC.
The campaign, initially a covert webmail exploitation operation, inadvertently became public when the group failed to secure a NameCheap Virtual Private Server in the U.S., associated with IP address 203.161.50.145. Despite being linked to FancyBear by Ukraine’s CERT-UA since September 2024, the server remained in use for over 500 days.
Data Breach and Geopolitical Implications
Researchers discovered an open-directory containing 2,800 government and military emails, 240 credentials including passwords and TOTP 2FA secrets, and 11,500 contact addresses from victims’ address books. Additional findings included command-and-control source code and exfiltrated data, indicating a comprehensive espionage operation.
The targets included nations like Ukraine, Romania, Bulgaria, Greece, Serbia, and North Macedonia. Notably, email addresses linked to NATO headquarters were found among the stolen data, revealing a deliberate geopolitical targeting strategy. Romanian and Greek military and governmental entities were among those compromised, underscoring the operation’s intelligence-driven nature.
Exploiting 2FA Vulnerabilities
FancyBear’s ability to bypass two-factor authentication without detection was a significant concern. By deploying a JavaScript module named keyTwoAuth.js, they extracted TOTP-based 2FA secrets directly from authenticated webmail sessions. The module operated seamlessly within the victim’s Roundcube email session, capturing credentials without any additional user interaction.
Analysis by Ctrl-Alt-Intel revealed 516 log entries under the ktfu prefix, with 256 accounts having their TOTP secrets stolen. This included accounts from Romania’s Air Force, Greece’s GEETHA, and Serbia’s Ministry of Defence. Organizations using Roundcube with the twofactorgauthenticator plugin are advised to consider their TOTP secrets compromised and update them immediately.
Defensive Measures and Future Outlook
To defend against such breaches, organizations should audit email-filtering rules for unauthorized entries and block connections to IP address 203.161.50.145 and the domain zhblz.com. Applying patches for vulnerabilities like Roundcube CVE-2023-43770 and monitoring for XSS injection attempts are critical steps to enhance security.
As cyber threats evolve, ongoing vigilance and proactive security measures remain paramount. Stay informed about the latest updates by following us on Google News, LinkedIn, and X, and consider setting CSN as a preferred source for timely information.
