Reuters finds Russian-linked hackers breached Romanian Air Force emails

A breach of Romanian Air Force email accounts has exposed how routine administrative mailboxes can become intelligence targets on NATO’s eastern flank. The compromise reached at least 67 Air Force accounts, including some tied to NATO air bases and at least one senior military officer, widening a campaign that touched military and government-linked systems across the region.

The intrusion was part of a broader operation that compromised at least 284 inboxes between September 2024 and March 2026, according to data reviewed from the incident. More than 170 of those accounts belonged to prosecutors and investigators in Ukraine, while other targets were identified in Romania, Bulgaria, Greece and Serbia. The exposed material included logs of successful operations and thousands of stolen emails left on an internet-facing server, a mistake that allowed researchers to map part of the campaign.

Romania’s Ministry of National Defense said the compromised addresses did not contain classified data and were used for administrative activities and the circulation of public information. The ministry said the incident was identified in March 2025 and isolated within 24 hours, with about 30 additional attempts failing after the breach was contained. Even so, the scale of the intrusion showed that attackers had penetrated a communications layer relied on by military personnel and institutions connected to alliance infrastructure.

The Ukrainian side of the campaign was equally revealing. The data identified targets including the Specialized Prosecutor’s Office in the Field of Defense, the Asset Recovery and Management Agency, the Specialized Anti-Corruption Prosecutor’s Office and the Prosecutors’ Training Center in Kyiv. Keir Giles of Chatham House said the pattern suggested intelligence collection aimed at officials handling corruption and Russian-collaborator cases. Matthieu Faou of ESET and Feike Hacquebord of Trend Micro both tied the activity to Moscow, though they differed on whether the operators could be conclusively pinned to Fancy Bear.

For NATO’s eastern flank, the episode is a warning about how much damage basic security failures can cause before any dramatic battlefield breach. Email access can reveal calendars, contacts, logistics threads and coordination habits that matter in a crisis, even when classified systems stay untouched. The incident also showed how cyber operations can be unmasked by operational mistakes: a server left exposed long enough for investigators to see the scale, the targets and the stolen material.