World

Russia-Linked Hackers Hit Greek Military Headquarters: The Southern Flank Is Now an Intelligence Battlefield

By Bosphorus News ·
Russia-Linked Hackers Hit Greek Military Headquarters: The Southern Flank Is Now an Intelligence Battlefield

By Bosphorus News Geopolitics Desk


Russia-linked hackers breached 27 email accounts at the Hellenic National Defense General Staff, exposing a cyber espionage operation that reached into one of NATO’s most sensitive southern flank militaries. The intrusion, which ran between September 2024 and March 2026, was uncovered not by Greek authorities but by British and American researchers at Ctrl-Alt-Intel after the attackers left their operational server exposed online. Reuters reviewed the underlying data and confirmed the scope, while the Greek General Staff did not respond to questions.

The accounts targeted were not random. Among those breached were Greek defence attaches posted in India and Bosnia, as well as the public-facing inbox of Greece's Joint Armed Forces Mental Health Centre. The targeting pattern points to communication mapping rather than operational data collection, enabling pre-positioning well before any crisis materialises.

The Greek breach sits inside a campaign far larger in scale. The same operation compromised at least 284 inboxes between September 2024 and March 2026, according to Ctrl-Alt-Intel's analysis of the exposed server. More than 170 of those accounts belonged to Ukrainian prosecutors and investigators. Romania's reaction was the most concrete: the Air Force confirmed 67 attacks and the compromise of several dozen accounts, and in March 2026 the country placed its entire cyber defence operation under centralised national command. In Bulgaria, four accounts linked to Plovdiv provincial officials were breached, the same region where Russian interference allegedly disabled satellite navigation ahead of a European Commission visit last year. Military officials and academics in Serbia were also hit.

Attribution converges on Russia-linked actors. The precise unit has not been confirmed, and some researchers have cautioned against specific group attribution. What the data establishes is a state-level operation, consistent in method and sustained over eighteen months.

What makes the Greek case distinct is not the cyber intrusion alone. In early February 2026, a senior Hellenic Air Force officer was detained on espionage allegations involving China, with investigators examining possible access to NATO-classified material. As documented by Bosphorus News, the case was handled under military prosecution with EYP involvement. A Russian cyber campaign and a Chinese human intelligence case, against the same country's defence establishment, within the same period.

The physical dimension surfaced in Hamburg. A Eurojust-coordinated operation in early February led to the arrest of a Romanian and a Greek national in connection with deliberate sabotage of German Navy vessels under construction. As detailed by Bosphorus News, investigators found abrasive material introduced into engine components, interference with fuel and freshwater systems, and manipulation of electronic systems. Both suspects had authorised access to the shipyard.

Türkiye has been working through its own exposure. In late January and early February 2026, authorities dismantled separate networks linked to Mossad and the IRGC. As reported by Bosphorus News, the Mossad case, codenamed MONITUM, involved encrypted communications through commercial and social contacts. The IRGC operation targeted surveillance of military installations including Incirlik Air Base.

The pattern reflects a shift from information theft to system-level mapping. The goal is not a document. It is a picture of how decisions form, where communication flows, which connections are load-bearing. Greece faces simultaneous cyber penetration and a human intelligence case targeting NATO-classified access. Türkiye is clearing foreign networks embedded in strategic contact chains. Across the Balkans and into Ukraine, the same campaign is mapping decision-making infrastructure rather than extracting files.

The Eastern Mediterranean sits at the intersection of NATO logistics, energy corridors and the defence coordination now accelerating across Greece, Türkiye and Cyprus. Several intelligence services have drawn the same conclusion about where to concentrate their collection effort.