What information are Russian state hackers collecting in Serbia?

A message on the Signal app and opening a link for an alleged video call… 

In this way, the Belgrade Centre for Security Policy became a victim of Russian hacking groups, according to a forensic analysis carried out for this Serbian non-governmental organisation by one of the largest IT companies in the world. 

These are hacking groups that the governments of the United States and the United Kingdom have previously linked to Russia’s intelligence and security structures. 

During the attack, the hackers accessed part of the archive and read more than 28,000 email exchanges of the Serbian organisation, which has been monitoring reforms in the security sector for almost 25 years and is actively involved in communication with numerous European institutions. 

“Our mailing list of international and domestic partners is very large,” Igor Bandović, Director of the Belgrade Centre for Security Policy (BCSP), told Radio Free Europe (RFE). 

He also stated that the accounts of BCSP employees were used to further spread the hacking operation of two Russian groups. 

One is linked to Russia’s Foreign Intelligence Service (SVR), and the other to Russia’s Military Intelligence Service (GRU). 

Both groups, according to the Microsoft website, target governments, diplomatic institutions, non-governmental organisations and IT companies worldwide. 

“The attackers use every possible method to gain access to sensitive emails, files and messages,” Steven Adair, Director of the US cyber security company Volexity, who also worked on the attack against BCSP, told RFE. 

He added that civil society organisations in Serbia will “almost certainly continue to be targets because of their work and expertise in areas related to Russia, Ukraine and security efforts in Europe”. 

How did the attack happen?

“The message I received did not look suspicious in any way,” Igor Bandović, Director of BCSP, recalled in an interview with RFE. 

He said that in July last year he was contacted via message by a person who introduced himself as Belarusian opposition politician Sergei Tikhanovsky, the husband of exiled opposition leader Sviatlana Tsikhanouskaya. 

“He suggested that we schedule a video call to discuss the political situation in South-Eastern Europe,” Bandović added. 

As later forensic analysis showed, this message was one of the key entry points through which the Russian hackers carried out their operation, aiming to take over the infrastructure of the Belgrade-based non-governmental organisation and to expand their activities further. 

Igor Bandović said that he asked the interlocutor how he had obtained his contact details. When he was told it was through a colleague from Romania, Bandović said he had no reason to question the authenticity of the conversation too closely. 

The communication took place via the Signal messaging app, which is known for privacy protection and encrypted communication, where users can connect via phone numbers or usernames. 

A link for a video call was also sent with the message. At the time of the scheduled meeting, Bandović copied the link into an internet browser. The video call did not activate, but it opened the door for the hackers to access almost all internal communications of BCSP staff. 

In this way, Bandović became a victim of so-called spear phishing, a targeted form of messaging in which the attacker tailors the message to appear as if it comes from a trusted person or organisation, often using personal information about the victim. The goal is to trick the victim into revealing confidential information, downloading a malicious file, or enabling access to systems. 

Four months later, in November last year, the Microsoft Threat Intelligence Centre, a specialised Microsoft team that researches digital security threats to users of the company’s software, warned BCSP that it had been the victim of a hacking attack. 

One of the world’s largest IT companies, which requested anonymity and whose identity is known to RFE, conducted a forensic analysis for BCSP and identified two hacking groups, Midnight Blizzard and Forest Blizzard, as being behind these attacks. 

Who are the Russian hackers behind the attacks in Serbia? 

Midnight Blizzard is a hacking group tracked under that name by Microsoft and has been active since at least 2018. 

According to Microsoft, the group operates from Russia. 

The governments of the United States and the United Kingdom link it to the Foreign Intelligence Service of the Russian Federation, known as the SVR. The group is known for attacking governments, diplomatic institutions, non-governmental organisations and IT service companies, mainly in the United States and Europe. Their goal, according to Microsoft, is “the collection of intelligence through long-term, dedicated espionage” targeting foreign interests. Forest Blizzard, on the other hand, is a hacking group believed to have ties to Russia’s military intelligence agency, the GRU.  

Members of this group were directly identified as GRU officers in an indictment filed by the US Department of Justice in 2018 against 12 GRU members for hacking the Democratic National Committee, the Democratic Congressional Campaign Committee and the presidential campaign of US presidential candidate Hillary Clinton. 

According to the indictment, the aim was “to influence the 2016 US presidential election”.

As stated in the indictment, the GRU was at that time carrying out mass spear-phishing attacks against members of Hillary Clinton’s campaign team, which enabled access to tens of thousands of emails. 

Following the successful attacks, they hacked the  computers of institutions running the Democrats’ campaign, stole documents and passwords, and secretly monitored the work of employees, the indictment says. 

This case did not progress beyond the indictment, as all of the accused are unavailable to US authorities. 

According to the Microsoft website, the targets of attacks by this Russian group include governments, non-governmental organisations, IT companies and universities, with attacks recorded in the United States, Australia, Canada, India, Ukraine, Israel and Japan. 

A wide range of similar hacking campaigns, involving impersonation of individuals and the compromise of accounts, was analysed by the Washington-based US cybersecurity firm Volexity. 

“We are quite confident that these attacks targeting individuals and organisations engaged in issues related to Russia, Ukraine and European security are the work of Russian cyber threat actors,” Steven Adair, founder and director of the company, told RFE. He added that Russian actors have adopted multiple techniques aimed at compromising users. 

“These attacks have evolved from impersonating individuals such as ambassadors and diplomats to creating fake conference websites designed to phish the credentials of potential participants,” Adair explained. 

A fake Belgrade Security Conference website 

A forensic analysis conducted for the Serbian BCSP by a global IT company showed that in just one month of monitoring, from early November to early December 2025, more than 28,000 accesses to the emails of BCSP employees were recorded. 

This included opening messages and documents sent as attachments, as well as access to the archive and older correspondence with domestic and foreign partners, BCSP representatives explained. 

“Attempts at further communication with our staff were recorded, from which it is clear that after gaining access to the system, the hackers had virtually real-time insight into communications as they were taking place,” said BCSP Director Igor Bandović. 

The operation took on broader dimensions when the hacking group also created a fake website promoted as the official registration platform for participants of the Belgrade Security Conference. 

The conference, organised by BCSP, was held from 17 to 19 November in Belgrade. 

It was the fourth event of its kind and represents one of the largest regional gatherings dedicated to foreign policy and security issues, bringing together more than 500 participants from Serbia and abroad. 

It is a semi-closed event attended by political representatives, diplomats, experts and representatives of international organisations. 

A forensic analysis by the US company Volexity, which also examined this case, showed that guests and participants were directed by email to the fake website with the aim “of expanding the infiltration to international participants, representatives of governments, international organisations, academia and civil society”. 

“Immediately before the conference, European Union institutions sent a warning about a spear-phishing campaign spreading from fake accounts of the Belgrade Conference and targeting our partners in the EU and North America,” Igor Bandović said. 

He stated that one of the aims was to deter foreigners from coming to Belgrade, while the other was, as he put it, “certainly intelligence espionage”. 

What is the scale of the attack? 

BCSP say that even six months later it is difficult to assess the full extent of the damage. 

“Partners from two organisations contacted us, one from Europe and one from the United States, saying they had received phishing emails from our addresses. But that means they recognised them. How many organisations and individuals did not recognise this hacking activity, we cannot even guess,” said Igor Bandović. 

Volexity founder Steven Adair told RFE that “the scale of these attacks appears to be quite large”. 

“Russian threat actors created a completely fake website imitating the Belgrade Security Conference and targeted individuals who might attend or be interested in speaking there. This provides important insight into the kind of work in Serbia that particularly attracts the attention of attackers,” Adair said. 

What the forensic analysis uncovered after the attack goes beyond phishing and impersonation. 

A detailed investigation showed that this non-governmental organisation had been a target of Russian hackers since the summer of 2024. 

From September of that year, according to the findings of the digital forensic analysis, an administrator account was taken over via a VPN account, that is, through access points to the BCSP server used for remote work. 

Igor Bandović said that the attacks were not reported to Serbia’s Prosecutor’s Office for High-Tech Crime because they “do not have confidence in an impartial investigation”. 

They made all the information public, Bandović said, in order to warn potential victims. 

He added that at the beginning of December they removed all threats from their system. 

What are the signs of intelligence cooperation between Serbia and Russia? 

In 2019, the US State Department described Serbia, a candidate for membership of the European Union, as a country with the “most permissive environment” for Russian influence in the Western Balkans. 

Even after Russia’s invasion of Ukraine and Western sanctions against Moscow, Belgrade has remained one of the Kremlin’s few European partners.

 The two countries have also continued their intelligence cooperation. 

In September 2025, it was revealed that Russian services had organised training camps in western Serbia where Moldovan and Romanian citizens, according to a statement from Chişinău, were prepared to incite unrest during Moldovan elections. 

Serbian authorities invited Russia’s Federal Security Service to Serbia to investigate allegations that a sonic weapon was used against protesters at an anti-government demonstration in Belgrade on 15 March. 

Moscow and Belgrade, without providing evidence, accuse Western services of being behind mass protests in Serbia calling for accountability over the deaths of 16 people in an accident in Novi Sad. 

The joint fight against “colour revolutions”, a term Moscow uses to describe the overthrow of authoritarian regimes in former Soviet republics, was announced by Belgrade and the Kremlin as early as 2021. 

This was negotiated with the then head of Russia’s security service, Nikolai Patrushev, by pro-Russian Serbian government official Aleksandar Vulin, who is on the United States sanctions list because of his cooperation with Russia. 

Russian opposition figures accused Vulin of wiretapping them in Belgrade and passing the information to the Kremlin, after which their arrests in Moscow followed. 

Serbia has also been the focus of accusations that it provided refuge to Russian diplomats expelled from European Union member states on suspicion of espionage.