Military and government organisations often rely on email systems for sensitive communications. When those email infrastructures remain findable and reachable from the internet, state-linked actors can compromise dozens or hundreds of accounts with relative ease.
The April 2026 Romanian Air Force incident is a clear example. Fancy Bear (APT28), a hacking unit attributed to Russian military intelligence, compromised accounts across five countries by locating infrastructure that was left reachable from the public internet.
Incident at a glance
- Attack type: Compromise of military email accounts
- Threat actor: Fancy Bear (APT28), attributed to Russian military intelligence (GRU)
- Root cause: Email infrastructure reachable and discoverable from the internet
- Exposure window: September 2024 to March 2026
- Impact: 67 accounts targeted; the Romanian Ministry of National Defense stated 30 were successfully compromised, with remaining attacks repelled by Army cyber defence.
- Affected users: Romanian Air Force personnel, including accounts at NATO air bases and at least one senior military officer
- Response: Romanian Ministry of National Defense confirmed the breach; investigation ongoing; hackers accidentally exposed their own operation
Why Persistent Email Infrastructure Exposure Is a Growing Risk for Defense and Government
Government and military email environments face a structural tension: they must remain highly available for command and control, which typically means infrastructure stays internet-accessible.
A single Fancy Bear campaign compromised at least 284 government and military email accounts across five countries between September 2024 and March 2026, according to analysis by Ctrl-Alt-Intel, a British-American cyber threat research group. That scale was made possible not by advanced exploits, but by infrastructure that remained findable.
When email systems are discoverable from the public internet, persistent state-linked scanning eventually finds them, regardless of the organisation's security posture at the application layer.
What Happened
Fancy Bear (APT28), a hacking unit attributed to Russian military intelligence (GRU), gained access to the email infrastructure of the Romanian Air Force between September 2024 and March 2026, as part of a broader regional espionage campaign targeting government and military officials in Ukraine, Greece, Bulgaria, and Serbia. According to Reuters, Ctrl-Alt-Intel found at least 284 email accounts compromised across all targeted countries.
Of those, 67 accounts were targeted at the Romanian Air Force, including several belonging to NATO air bases and at least one senior military officer. The Romanian Ministry of National Defense later stated that 30 of those accounts were successfully compromised, with the remaining attacks repelled by Army cyber defence.
The operation was exposed after the hackers accidentally made their own server data public, leaving logs of successful hacking operations and thousands of stolen emails visible on the internet. The Romanian Ministry of National Defense confirmed the breach and stated the targeted accounts were used for administrative activities, not classified communications.
Technical Cause
According to Reuters, Fancy Bear gained access to the Romanian Air Force email infrastructure by targeting standard email accounts and servers that were reachable from the internet. The attackers did not need sophisticated malware. They exploited the fact that the email environment was discoverable and accessible, allowing them to harvest credentials and move laterally across dozens of accounts.
| Exposure Area | Why It Mattered |
| Military email infrastructure reachable from the internet | Attackers could locate and access accounts without needing multiple layers of protection |
| Sensitive military communications stored in the environment | Any unauthorized access could expose operational and administrative information |
| Limited obfuscation of infrastructure | The email environment remained findable and exploitable |
| No network-level hiding controls | The infrastructure itself was visible and reachable |
The structural lesson extends well beyond the Romanian Air Force: when email infrastructure is left exposed and discoverable, even basic reconnaissance can lead to significant compromise. The blast radius is determined by how reachable the systems are, not by the attacker's technical sophistication.
Governance and Risk Implications
For enterprise security and IT leadership, the Romanian Air Force incident raises questions that extend well beyond defense.
- Credential exposure in mission-critical environments. Email systems and servers that handle sensitive communications are often more exposed than organisations realise. The relevant question is not whether data is encrypted at rest, it is whether the infrastructure itself can be found and reached from the internet at all.
- State-sponsored targeting windows. Nation-state actors routinely scan for exposed government and military infrastructure. Organisations need processes to make their systems untraceable before they are targeted.
- Distribution channel trust assumptions. Email platforms for defense and government are often treated as trusted by default. Organisations that rely on standard email infrastructure carry residual infrastructure risk on every connection.
- Blast radius of exposed infrastructure. A single reachable email environment can compromise dozens of accounts and expose sensitive operational communications in a short period.
How to Prevent Critical Email Infrastructure Exposure
The core failure in the Romanian Air Force breach was that standard email infrastructure remained discoverable and reachable from the internet. Once attackers located the systems, they were able to compromise dozens of accounts containing sensitive military communications.
Any organisation that handles sensitive communications - government agencies, law firms, financial institutions, or healthcare providers - faces the same risk. Email servers and administrative interfaces that are directly reachable from the public internet create an easy entry point for reconnaissance and targeted attacks.
Entropya's Secure Xchange Mail is a decentralised, end-to-end encrypted email solution with no reliance on third-party infrastructure, often protected by a Virtual Dissimulated Encrypted Server (VDES) that shields the server's real IP. When used with Entropya's Encrypted Network (EEN), a Software Defined Network, the entire email system becomes untraceable. The infrastructure is no longer discoverable from the internet.
Review Your Email Infrastructure
If your email servers and administrative interfaces are reachable from the public internet, they are discoverable. Contact Entropya to assess your exposure before reconnaissance begins.
Frequently Asked Questions
In many cases the target is not the email application itself, it is the backend infrastructure: servers and environments that host sensitive communications. When those systems remain accessible and findable on the internet, attackers can gain unauthorized access to multiple accounts.
Prevention requires replacing or protecting standard email systems with hardened solutions deployed within a protected network. Entropya's Secure Xchange Mail, when used with EEN, makes the entire email system untraceable — administrative access is tightly controlled and the infrastructure is no longer discoverable from the internet.
Defense and government organisations must maintain highly available communication systems. Without network-level obfuscation and zero-trust controls, email infrastructure can be discovered and targeted, exposing sensitive operational communications.