A major operational security lapse by a Russian state-linked hacking group, FancyBear, has exposed one of the most detailed views yet into an active cyber espionage campaign targeting government and military organizations across Europe. The incident highlights growing concerns around advanced persistent threats (APTs), cybersecurity vulnerabilities, and the increasing sophistication of nation-state cyber operations.

The campaign, tracked as Operation Roundish by threat intelligence firm Hunt.io, came to light after researchers discovered an exposed open-directory on March 11, 2026. The server, hosted on a U.S.-based virtual private server, had reportedly been in use by the group for over a year – despite prior public attribution. This prolonged exposure provided researchers with unprecedented access to the group’s tools, infrastructure, and stolen data.

Within the exposed directory, investigators uncovered approximately 2,800 exfiltrated emails from government and military entities, along with 240 compromised credential sets, including passwords and time-based one-time password (TOTP) secrets. Additionally, over 11,500 contact records and 140 silent email-forwarding rules were identified, indicating a large-scale and highly coordinated intelligence-gathering operation.

Further analysis revealed an even more critical exposure: a second open-directory containing FancyBear’s command-and-control (C2) source code, JavaScript payloads, and operational telemetry logs. This discovery provided a near-complete blueprint of the group’s cyberattack methods, offering valuable insights into how advanced cyber espionage campaigns are executed.

The victims of the campaign spanned multiple European countries, including Ukraine, Romania, Bulgaria, Greece, Serbia, and North Macedonia. Several NATO-linked entities were also impacted, with email data tied to military and defense institutions. The targeting pattern suggests a deliberate geopolitical focus, particularly on regions involved in defense cooperation and ongoing military activities.

One of the most alarming aspects of the campaign was the method used to bypass two-factor authentication (2FA). FancyBear deployed a malicious JavaScript module, keyTwoAuth.js, which executed within already-authenticated webmail sessions. By exploiting vulnerabilities in Roundcube webmail, the script extracted hidden TOTP secrets and recovery codes without requiring additional user interaction.

This technique allowed attackers to generate valid authentication codes at any time, effectively bypassing 2FA protections without alerting victims. Security analysts identified over 500 instances of this method being used, with hundreds of accounts successfully compromised – even among organizations that had implemented multi-factor authentication.

The findings underscore a critical shift in cybersecurity threats, where attackers are no longer just stealing passwords but targeting authentication systems themselves. Organizations relying on webmail platforms and plugin-based security measures are particularly at risk if vulnerabilities remain unpatched.

Cybersecurity experts recommend immediate action for potentially affected organizations, including rotating all TOTP secrets, auditing email forwarding rules for unauthorized activity, and applying patches for known vulnerabilities such as Roundcube CVE-2023-43770. Blocking known malicious infrastructure and monitoring for cross-site scripting (XSS) activity are also essential steps in mitigating ongoing risks.

This incident serves as a stark reminder that even highly sophisticated threat actors can expose themselves through operational missteps. At the same time, it highlights the urgent need for stronger cybersecurity defenses, continuous monitoring, and proactive threat detection strategies in an increasingly complex digital threat landscape.

Recommended Cyber News :

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com