What information are Russian intelligence hackers collecting in Serbia?

According to Microsoft, the groups are linked to Russia’s Foreign Intelligence Service (SVR) and Military Intelligence Service (GRU)

A message on the Signal app and the opening of a link for a so-called video call were all it took for the Belgrade Centre for Security Policy (BCBP) to become a victim of Russian hacker groups, according to an analysis conducted for this Serbian NGO by one of the world’s largest IT companies.

These hacker groups have previously been linked by the governments of the United States and the United Kingdom to Russia’s intelligence and security structures.

During the attack, the hackers gained access to part of the archive and read more than 28,000 emails of the Serbian organization, which for nearly 25 years has monitored reforms in the security sector and has been involved in communication with numerous European institutions.

According to a report by the U.S. technology company Microsoft, one of the groups is linked to Russia’s Foreign Intelligence Service (SVR), while the other is linked to Russia’s Military Intelligence Service (GRU).

Both groups, according to Microsoft’s official website, target governments, diplomatic institutions, non-governmental organizations, and IT companies worldwide.

In July of the previous year, a person presenting himself as Belarusian opposition politician Sergei Tikhanovsky, the husband of exiled opposition leader Sviatlana Tsikhanouskaya, sent a message requesting a video call to discuss the political situation in Southeast Europe.

Subsequent forensic analysis showed that this message was one of the initial points of the Russian hackers’ attack, aimed at taking control of BCBP’s infrastructure and expanding their activities further.

The communication took place via the Signal app, known for its privacy and encrypted data transmission, where users connect via phone numbers or usernames. The message included a link for a video call. At the scheduled time of the meeting, the link was copied into an internet browser. The video call did not activate, but it opened the door for hackers to access almost all communications of BCBP employees.

This was an example of “spear phishing,” a targeted attack in which the attacker makes a message appear to come from a trusted person or organization, often using the victim’s personal data. The goal is for the victim to reveal confidential information, open a malicious file, or enable access to computer systems.

Four months later, in November, Microsoft’s Threat Intelligence Center, the company’s specialized digital security team, informed BCBP that it had been the victim of a cyberattack.

One of the world’s largest IT companies, which requested anonymity, conducted a forensic analysis and identified two hacker groups—“Midnight Blizzard” and “Forest Blizzard”—as the perpetrators.

The “Midnight Blizzard” group is known to Microsoft and has been active since at least 2018. According to Microsoft, the group operates from Russia. The governments of the United States and the United Kingdom link it to the SVR. The group is known for attacks on governments, diplomatic institutions, NGOs, and IT companies, mainly in the United States and Europe. Its goal, according to Microsoft, is “the collection of intelligence through espionage.”

The other group, “Forest Blizzard,” is linked to the GRU. Some of its members were directly identified as GRU officers in the 2018 indictment by the U.S. Department of Justice against 12 GRU members for hacking the Democratic National Committee, the Democratic Congressional Campaign Committee, and the U.S. presidential campaign of Hillary Clinton. The objective was “to interfere in the 2016 U.S. presidential election.”

According to the indictment, the GRU carried out large-scale spear-phishing attacks against members of Clinton’s campaign, gaining access to tens of thousands of emails. After successful attacks, the group hacked the computers of campaign organizations, stole documents and passwords, and secretly monitored employees’ work. The case never went to trial because none of the defendants were available to U.S. authorities.

According to Microsoft, the targets of this Russian group include governments, NGOs, IT companies, and universities. Similar attacks have been recorded in the United States, Australia, Canada, India, Ukraine, Israel, and Japan. Some of these attacks, involving impersonation of trusted individuals and account compromise, were analyzed by the Washington-based cybersecurity firm Volexity.

A forensic analysis conducted by a major international IT company for BCBP showed that during just one month of monitoring, from early November to early December 2025, more than 28,000 accesses to BCBP employees’ emails were recorded.

This included opening messages and attached documents, as well as accessing archives and reviewing previous correspondence with domestic and international partners, BCBP explained.

The operation was further expanded when the hacker group created a fake website advertised as the official registration platform for participants in the Belgrade Security Conference. The conference, organized by BCBP, was held from November 17 to 19 in Belgrade.

It was the fourth edition of the event, considered one of the largest regional gatherings on foreign policy and security issues, bringing together more than 500 participants from Serbia and abroad. The event was partially closed, with participation by political representatives, diplomats, experts, and representatives of international organizations.

Another forensic analysis by the U.S. company Volexity showed that guests and participants were directed via email to the fake website, with the aim of “spreading the infiltration to international participants, representatives of governments, international organizations, the academic community, and civil society.”

BCBP stated that even six months after the attack, it was difficult to assess the damage.

The forensic analysis showed that the NGO had been a target of Russian hacking since the summer of 2024. Since September of that year, according to the analysis, the administrator account had been compromised via VPN, giving attackers access to BCBP servers used for remote work.

In 2019, the U.S. State Department described Serbia, which aims to join the EU, as the country with “the most permissive environment” for Russian influence in the Western Balkans.

Belgrade, even after Russia’s invasion of Ukraine and the introduction of Western sanctions against Moscow, has remained one of the Kremlin’s few European partners. The two states have also continued cooperation in the intelligence sphere.

In September 2025, authorities revealed that Russian services in western Serbia had organized training camps where Moldovan and Romanian citizens, according to officials in Chișinău, were being prepared to cause unrest during elections in Moldova.

Serbian authorities invited Russia’s Federal Security Service (FSB) to investigate claims that a sonic weapon had been used against demonstrators during an anti-government protest on March 15 in Belgrade.

Moscow and Belgrade, without providing evidence, accuse Western intelligence services of being behind mass protests in Serbia demanding accountability for the deaths of 16 people in an accident in Novi Sad.

Cooperation against “color revolutions,” a term used by Moscow to describe the overthrow of authoritarian regimes in former Soviet republics, was announced by Belgrade and the Kremlin as early as 2021.

Aleksandar Vulin, a pro-Russian official in the Serbian government who is on the U.S. sanctions list for cooperation with Russia, held talks with Russia’s then intelligence chief Nikolai Patrushev. Russian opposition figures accused Vulin of surveilling them in Belgrade and passing information to the Kremlin, which was followed by their arrest in Moscow.

Serbia was also at the center of accusations that it had provided shelter to Russian diplomats expelled from several EU countries on suspicion of espionage.