cross-posted from: https://scribe.disroot.org/post/10102483

A Russian cyberespionage operation spent a month inside a Belgrade think tank’s inboxes, reading 28,000 emails after posing as a Belarusian dissident to get in. Tied to the SVR and GRU, the hackers weren’t just after documents — they walked away with a blueprint of relationships and vulnerabilities that AI can weaponize. As Serbia heads toward elections, the attack reveals a darker pattern: Moscow and Belgrade often chase the same enemies.

Summary of the linked article:

In August 2025, the director of the Belgrade Centre for Security Policy (BCSP), Igor Bandović, received a message on Signal from someone who claimed to be Belarusian opposition politician Sergei Tikhanovsky, the husband of Svetlana Tikhanovsky, the Belarusian opposition leader currently in exile. He claimed to have Bandović’s contact from an organization that BCSP previously worked with. The person suggested a video call, but the call never connected and the partner organization never gave Tikhanovsky Bandović’s contact information. This was not the start of the espionage.

A forensic analysis showed that the organization’s internal network was accessed without authorization as early as September 2024, which allowed the attackers to log in as regular users. Second, they accessed the administration of the entire system, gaining control over servers, passwords, documents, archives and communications. The third phase of the attack was a systematic surveillance of all communications, meaning messages, attachments and archives. For nearly a month, the attackers accessed the emails of BCBP more than 28,000 times, each individual access record meaning a visit to the inbox and internal documents, and even an attempt at communication with employees.

The forensic analysis showed that the attack was coordinated by two hacker groups, known as Midnight Blizzard, linked to the Russian Foreign Intelligence Service (SVR), and Forest Blizzard, linked to Military Intelligence Service (GRU). One group did the silent surveilance actions while the other performed more aggressive actions like taking over accounts, including creating a fake website that it attributed to the Belgrade Security Conference.

Further collaboration between the Serbian and Russian regime was uncovered in the meantime. This included training camps for preparing riots and disrupting elections in Moldova and the testing of illegal sound cannons that were allegedly used during a protest in Serbia.

Archived