By Raphael Satter<\/p>\n
WASHINGTON, April 15 (Reuters) – Russia-linked hackers broke into more than 170 email accounts belonging to prosecutors and investigators across Ukraine during the last several months, according to data reviewed by Reuters, a campaign that shows how Moscow\u2019s spies are keeping tabs on the Ukrainian officials tasked with rooting out corruption and Russian collaborators.<\/p>\n
The \u200cdata was inadvertently exposed to the internet by the hackers and discovered by Ctrl-Alt-Intel, a collective of British and American cyber threat researchers. Ctrl-Alt-Intel said data left on the \u200cserver – including logs of successful hacking operations and thousands of stolen emails – showed that the hackers compromised at least 284 inboxes between September 2024 and March 2026.<\/p>\n
Most of the victims were in Ukraine; others are from neighboring NATO countries and the \u200bBalkans.<\/p>\n
The operation was first described last month in a Ctrl-Alt-Intel blog post. Reuters reviewed the underlying data and is publishing details of the hacks for the first time, including the identities of more than a dozen compromised European agencies and officials.<\/p>\n
Ctrl-Alt-Intel said the mistake provided a rare opportunity to examine the workings of a Russian espionage campaign.<\/p>\n
The hackers \u201cjust made a huge operational blunder,\u201d Ctrl-Alt-Intel said. \u201cThey left their front door wide open.\u201d<\/p>\n
The Russian embassy in Washington did not respond to requests for comment. Moscow has repeatedly denied it engages in hacking operations against other countries.<\/p>\n
HACKERS TIED TO MOSCOW<\/p>\n
Ctrl-Alt-Intel attributed the hacking campaign to \u201cFancy Bear,\u201d one of the \u200cnicknames assigned to a well-known Russian military hacking squad. Two researchers \u2060who independently reviewed Ctrl-Alt-Intel\u2019s work – Matthieu Faou, with the cybersecurity company ESET, and Feike Hacquebord, with the cybersecurity company TrendAI – agreed the hackers were tied to Moscow. However, Faou said he could not verify Fancy Bear was involved, and Hacquebord disputed Fancy Bear’s involvement.<\/p>\n
The hackers likely targeted Ukrainian law enforcement either to \u2060stay ahead of investigators working to expose Moscow\u2019s spies or to gather potentially embarrassing information about top officials in Kyiv, said Keir Giles, an associate fellow at London\u2019s Chatham House think tank, who reviewed a list of the victims.<\/p>\n
The data showed the hackers broke into accounts managed by the Specialized Prosecutor’s Office in the Field of Defense, a wartime body established to fight corruption and unmask spies in the Ukrainian military. They also \u200btargeted \u200bUkraine\u2019s Asset Recovery and Management Agency (ARMA), which oversees assets seized from criminals and Russian collaborators, and the Kyiv-based Prosecutor’s \u200bTraining Center.<\/p>\n
Among the victims were Yaroslava Maksymenko, who was the chief of ARMA \u200cat the time, the data shows. At the Prosecutor’s Training Center, the data shows the hackers broke into the mailboxes of 44 employees, including one belonging to the center\u2019s deputy director, Oleg Duka.<\/p>\n
The Russians allegedly stole data from at least one senior employee of the Specialized Anti-Corruption Prosecutor’s Office (SAPO), which has investigated some of Ukraine\u2019s most high-profile corruption scandals, including one that prompted the resignation of President Volodymyr Zelenskiy\u2019s chief peace negotiator Andriy Yermak in November.<\/p>\n
Maksymenko, Duka, ARMA, SAPO, and the prosecutors did not respond to requests for comment. Ukraine’s Computer Emergency Response Team said it was aware of the hack and had already investigated some of the compromises identified by Reuters.<\/p>\n
HACKERS SPIED ON KREMLIN FOES – AND FRIEND<\/p>\n
The hack uncovered by Ctrl-Alt-Intel represents “a small set of activity in regards to the whole Russia-aligned espionage \u200cecosystem,\u201d said Faou, the ESET researcher.<\/p>\n
The data shows the hackers broke into the email inbox of the Central City \u200bHospital in Pokrovsk, a railway hub Russia has been trying to cement its control over, as well as an inbox \u200bbelonging to the city\u2019s finance committee.<\/p>\n
Scores of officials in surrounding NATO countries were also \u200bhacked, the data shows.<\/p>\n
In Romania, the hackers compromised at least 67 email accounts maintained by the Romanian Air Force, including several belonging to NATO airbases and at \u200cleast one senior military officer. The Romanian Ministry of Defense did not \u200brespond to requests for comment.<\/p>\n
The data also shows the \u200bspies compromised 27 email inboxes managed by Hellenic National Defense General Staff, Greece\u2019s top military body. Among those hacked were Greek defense attaches in India and Bosnia and the public-facing inbox for Greece\u2019s Joint Armed Forces Mental Health Center. The General Staff did not answer a detailed list of questions.<\/p>\n
In Bulgaria, the hackers broke into at least four inboxes belonging \u200bto local officials in Plovdiv province, where Russian interference was alleged to \u200chave disabled satellite navigation services ahead of a visit by European Commission President Ursula von der Leyen last year. Bulgarian officials did not respond to comment requests.<\/p>\n
The data also \u200bshows the spies hacked academics and military officials in Serbia, a traditional Russian ally. Serbia\u2019s Ministry of Defense did not respond to requests for comment.<\/p>\n
\u201cA supposedly close \u200brelationship with Moscow is no insurance against Russian espionage,” Giles said.<\/p>\n
(Reporting by Raphael SatterEditing by Rod Nickel)<\/p>\n","protected":false},"excerpt":{"rendered":"By Raphael Satter WASHINGTON, April 15 (Reuters) – Russia-linked hackers broke into more than 170 email accounts belonging…\n","protected":false},"author":2,"featured_media":7572,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[4822,3288,4932,4933,26,5,4931,4930,935,25,1356],"class_list":{"0":"post-7571","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-russia","8":"tag-ctrl-alt-intel","9":"tag-data","10":"tag-email-accounts","11":"tag-matthieu-faou","12":"tag-moscow","13":"tag-russia","14":"tag-russian-collaborators","15":"tag-russian-embassy-in-washington","16":"tag-shows","17":"tag-ukraine","18":"tag-ukrainian-officials"},"_links":{"self":[{"href":"https:\/\/www.europesays.com\/russia\/wp-json\/wp\/v2\/posts\/7571","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.europesays.com\/russia\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.europesays.com\/russia\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/russia\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/russia\/wp-json\/wp\/v2\/comments?post=7571"}],"version-history":[{"count":0,"href":"https:\/\/www.europesays.com\/russia\/wp-json\/wp\/v2\/posts\/7571\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/russia\/wp-json\/wp\/v2\/media\/7572"}],"wp:attachment":[{"href":"https:\/\/www.europesays.com\/russia\/wp-json\/wp\/v2\/media?parent=7571"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.europesays.com\/russia\/wp-json\/wp\/v2\/categories?post=7571"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.europesays.com\/russia\/wp-json\/wp\/v2\/tags?post=7571"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}