In an unusual turn of events, a cyber espionage campaign linked to Russia’s notorious hacking group FancyBear (also known as APT28) was exposed because of a simple security mistake made by the attackers themselves.
Researchers at Hunt.io discovered that the group had left one of its servers publicly accessible on the internet for more than 500 days. The exposed server contained a large collection of stolen information and operational tools, giving cybersecurity analysts a rare opportunity to observe the hackers’ activities in detail.
The campaign, named Operation Roundish, appeared to focus on government, military, and diplomatic targets across Eastern and Southeastern Europe. Investigators found more than 2,800 stolen government and military emails, over 240 sets of login credentials and two-factor authentication data, and more than 11,500 harvested contacts. The affected countries included Ukraine, Romania, Bulgaria, Greece, Serbia, and North Macedonia.
According to researchers, the hackers accidentally exposed their infrastructure by leaving web directories open while storing stolen data and attack tools. This operational security mistake allowed defenders to monitor the campaign, analyze the malware used, and better understand the group’s tactics.
Security experts believe the operation was primarily aimed at countries supporting Ukraine through military assistance, training programs, or logistical support. The findings also showed similarities to previously documented campaigns known as Operation RoundPress and ClickFix, strengthening links to Russia’s GRU-associated FancyBear group.
The incident highlights an important lesson in cybersecurity: even highly sophisticated threat actors can make basic mistakes that ultimately expose their own operations.<\/p>\n","protected":false},"excerpt":{"rendered":"
In an unusual turn of events, a cyber espionage campaign linked to Russia’s notorious hacking group FancyBear (also known as APT28) was exposed because of a simple security mistake made by the attackers themselves.Researchers at Hunt.io discovered that the group had left one of its servers publicly accessible on the internet for more than 500 days. The exposed server contained [\u2026]<\/span><\/p>\n","protected":false},"author":1,"featured_media":8776,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,12,9,3],"tags":[],"class_list":["post-9126","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ce_listen","category-read_article","category-ransomware_criminals","category-ce_read"],"acf":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/cyberenso.jp\/wp-content\/uploads\/2025\/02\/illustration-virus-detection_53876-37692.jpg?fit=996%2C688&ssl=1","_links":{"self":[{"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/posts\/9126"}],"collection":[{"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/comments?post=9126"}],"version-history":[{"count":1,"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/posts\/9126\/revisions"}],"predecessor-version":[{"id":9127,"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/posts\/9126\/revisions\/9127"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/media\/8776"}],"wp:attachment":[{"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/media?parent=9126"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/categories?post=9126"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/tags?post=9126"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}