Cyber Incident Victim: Romanian Ministry of Foreign Affairs

In early April 2017, the Romanian Ministry of Foreign Affairs was targeted by an advanced phishing campaign attributed to the Russian state-linked hacking group APT28, also known as Fancy Bear. The attackers impersonated NATO representatives to send deceptive emails containing malicious Microsoft Word attachments designed to exploit two recently disclosed vulnerabilities. These booby-trapped documents delivered GameFish RAT, a remote access trojan enabling persistent system control. FireEye analysts confirmed the authenticity of the phishing emails and their connection to APT28’s operational patterns, noting similarities to the group’s prior activities, including the 2016 Democratic National Committee breach. The campaign extended beyond Romania to multiple European diplomatic entities, though specific additional targets were not disclosed. Attackers leveraged NATO’s credibility to increase the likelihood of successful compromises, though the exact success rate against the Romanian ministry remained unverified in available reporting.

The malicious file associated with this campaign was uploaded to VirusTotal, a public malware analysis platform, suggesting at least partial detection by targeted entities or security researchers. NATO officials acknowledged the impersonation attacks but declined to provide detailed comments on mitigation measures or specific impacts. Technical analysis revealed operational security lapses by APT28, including the reuse of previously exposed command-and-control infrastructure, which allowed researchers to correlate this activity with historical attacks. No specific disruptions, data exfiltration, or financial consequences affecting the Romanian Ministry of Foreign Affairs were documented in the available source material. The incident underscored APT28’s continued focus on diplomatic targets and its exploitation of unpatched software vulnerabilities alongside social engineering tactics.