Search

FancyBear Server Exposure Reveals Stolen Credentials and NATO-Linked Targets

Cyber threats and incidents
By John Kevin Hao

Related

Cyber threats and incidents

Novo Nordisk Reports Cybersecurity Breach Affecting Clinical Trial Patients

What happened Novo Nordisk disclosed a cybersecurity incident involving unauthorized...
Read more
Cyber threats and incidents

HSE Fined €300,000 After Tullamore Hospital Data Breach

What happened Ireland’s Health Service Executive (HSE) has been fined...
Read more
Cyber threats and incidents

Maine Closes Data Breach Portal After Fake Breach Notices

What happened Maine's Attorney General's Office has taken its public-facing...
Read more
Cyber threats and incidents

Kodak Confirms Data Breach Claimed by ShinyHunters Extortion Gang

What happened Kodak has confirmed that an unauthorized third party...
Read more
Cyber threats and incidents

Council of Europe Investigates ShinyHunters Data Breach Claims

What happened The Council of Europe is investigating claims that...
Read more

Share

What happened

A security lapse exposed an active espionage server operated by the Russia-linked threat group FancyBear, revealing large volumes of stolen data tied to ongoing cyber operations. Researchers from Hunt.io uncovered an open directory tied to a campaign tracked as Operation Roundish, which had been running for over a year. The exposed infrastructure contained approximately 2,800 stolen emails, 240 credential sets including passwords and 2FA secrets, and thousands of harvested contact records from government and military targets across Europe. The server, hosted on a NameCheap VPS, had been publicly attributed to FancyBear as early as 2024 but remained active for over 500 days. Analysts also discovered command-and-control source code, telemetry logs, and additional payloads, providing a detailed view into the group’s operations. Victims included organizations across Ukraine, Romania, Bulgaria, Greece, Serbia, and North Macedonia, including contacts linked to NATO infrastructure. 

Who is affected

Government, military, and related organizations across multiple European countries are affected, particularly those whose credentials, emails, and contact data were collected through the exposed infrastructure. 

Why CISOs should care

The exposure demonstrates how operational security failures by advanced threat actors can still result in large-scale credential theft and intelligence collection across sensitive government and defense networks. 

3 practical actions

  1. Reset exposed credentials immediately. Compromised passwords and 2FA secrets were recovered from the exposed server. 
  2. Audit email forwarding rules. The campaign used silent forwarding rules to maintain access to victim communications. 
  3. Monitor for reuse of stolen data. Harvested contacts and credentials may be used in follow-on phishing or intrusion attempts. 

For more coverage of major incidents and threat activity, explore our reporting on Cyberattacks.

IMG 0514 2
+ posts

John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.

Previous article
RondoDox Botnet Targets 174 Vulnerabilities Across Devices and Platforms
Next article
ScreenConnect Vulnerability Exposes Machine Keys, Enables Session Hijacking
Cyber threats and incidents

Novo Nordisk Reports Cybersecurity Breach Affecting Clinical Trial Patients

What happened Novo Nordisk disclosed a cybersecurity incident involving unauthorized...
Cyber threats and incidents

HSE Fined €300,000 After Tullamore Hospital Data Breach

What happened Ireland’s Health Service Executive (HSE) has been fined...

Subscribe to our stories

To be updated with all the latest news, offers and special announcements.