What happened
A security lapse exposed an active espionage server operated by the Russia-linked threat group FancyBear, revealing large volumes of stolen data tied to ongoing cyber operations. Researchers from Hunt.io uncovered an open directory tied to a campaign tracked as Operation Roundish, which had been running for over a year. The exposed infrastructure contained approximately 2,800 stolen emails, 240 credential sets including passwords and 2FA secrets, and thousands of harvested contact records from government and military targets across Europe. The server, hosted on a NameCheap VPS, had been publicly attributed to FancyBear as early as 2024 but remained active for over 500 days. Analysts also discovered command-and-control source code, telemetry logs, and additional payloads, providing a detailed view into the group’s operations. Victims included organizations across Ukraine, Romania, Bulgaria, Greece, Serbia, and North Macedonia, including contacts linked to NATO infrastructure.Â
Who is affected
Government, military, and related organizations across multiple European countries are affected, particularly those whose credentials, emails, and contact data were collected through the exposed infrastructure.Â
Why CISOs should care
The exposure demonstrates how operational security failures by advanced threat actors can still result in large-scale credential theft and intelligence collection across sensitive government and defense networks.Â
3 practical actions
- Reset exposed credentials immediately. Compromised passwords and 2FA secrets were recovered from the exposed server.Â
- Audit email forwarding rules. The campaign used silent forwarding rules to maintain access to victim communications.Â
- Monitor for reuse of stolen data. Harvested contacts and credentials may be used in follow-on phishing or intrusion attempts.Â
For more coverage of major incidents and threat activity, explore our reporting on Cyberattacks.