FBI and SBU investigate Russian cyber-espionage campaign targeting officials across Ukraine, Europe and US
Russia’s intelligence services are conducting a long-running cyber-espionage campaign aimed at officials, military personnel, politicians and activists across Ukraine, Europe and the United States, Ukraine’s Security Service (SBU) said on Thursday. The agency announced that it is working together with the FBI on the investigation.
The SBU says attackers are mainly trying to break into accounts on popular messaging apps, looking for access to sensitive military, political and economic information, as well as private data belonging to users.
According to Ukrainian officials, the hackers often impersonate technical support or automated service bots. They send out phishing messages designed to trick people into handing over passwords or verification codes. In many cases, these messages are timed for early morning hours, when users are less attentive and more likely to click without checking details.
The alert comes amid a steady flow of reports pointing to Russian cyber-espionage activity across Europe and Ukraine.
Earlier reporting by Reuters described a wider operation in which Moscow-linked hackers accessed more than 170 email accounts used by Ukrainian prosecutors and investigators. Based on the data reviewed, at least 284 inboxes were compromised between September 2024 and March 2026. Those affected included anti-corruption bodies, military prosecutors and various government agencies.
Analysts who examined the leaked material say the same activity appears to have reached beyond Ukraine. Institutions in several NATO and Balkan countries were also affected, including the Romanian Air Force, Greece’s military leadership, local authorities in Bulgaria and members of the Serbian military.
Attribution remains disputed. Researchers generally associate the campaign with Russian-linked operators, but differ on whether it is directly connected to the military hacking group commonly known as Fancy Bear.
European governments have at the same time reported a broader pattern of cyber and influence operations linked to Russia.
Romania’s cybersecurity authority confirmed attacks on government websites during the country’s presidential election period. Officials in Romania and Poland have also warned about disinformation activity tied to the Kremlin-linked “Doppelgänger” network, which uses fake news sites, coordinated social media posts and fabricated claims about election fraud to shape public opinion.
In a separate development, Dutch intelligence services recently identified a previously unknown Russian-linked actor they named “Laundry Bear”. According to Dutch officials, the group has been active since at least 2024 and has targeted government institutions, defence companies, technology firms and other organisations across NATO and EU countries.
The SBU stressed that the campaign is not limited to state institutions. Ordinary users are also being targeted, especially through messaging platforms.
Authorities are advising people to regularly check active sessions in their apps, enable two-factor authentication, avoid opening suspicious links or files, and never share login codes, passwords or account recovery keys with anyone.
Users are also being warned not to scan QR codes sent from unknown accounts or bots, since they can be used to link foreign devices directly to a victim’s messaging account.