Cyber Incident Victim: Government of Montenegro

In June 2017, cybersecurity firm FireEye reported that Russian state-sponsored hacking group APT28 (Fancy Bear) targeted Montenegro’s government with cyberattacks. The attacks coincided with Montenegro’s formal accession to NATO on June 5, 2017, a move Russia had strongly opposed. APT28 employed spear-phishing tactics, sending malicious documents designed to compromise government systems. The lures referenced a NATO Secretary meeting and a European army unit’s visit to Montenegro, themes directly tied to the geopolitical tensions surrounding NATO expansion. This activity followed earlier distributed denial-of-service (DDoS) attacks in February 2017 against Montenegrin government organizations and media outlets, which occurred shortly after Prime Minister Duško Marković publicly criticized foreign interference in Montenegro’s NATO bid. The DDoS attacks caused intermittent disruptions but did not involve data theft or malware deployment.

FireEye attributed the June spear-phishing campaign to APT28 based on technical indicators, including the exclusive use of the Flash exploit framework and Gamefish malware—tools previously linked to the group. The attackers also reused infrastructure tied to prior APT28 operations targeting NATO members. FireEye noted APT28’s history of focusing on NATO-related targets aligned with Russia’s strategic opposition to the alliance’s expansion. The firm assessed the attacks as espionage efforts aimed at undermining Montenegro’s integration into NATO, reflecting Russia’s broader geopolitical stance. No specific data breaches or operational disruptions from the spear-phishing were detailed, but the incidents highlighted ongoing cyber risks to Montenegro’s institutions amid heightened regional tensions. FireEye warned that Russia’s opposition made further cyber activity likely despite Montenegro’s finalized NATO membership.