A worrying new tactic has emerged in the ongoing geopolitical conflict over Ukraine, with independent sources reporting that Russia’s powerful military intelligence agency, the GRU (Main Intelligence Directorate), is exploiting weaknesses in IP cameras to watch Western aid routes into Ukraine.
This cyber espionage operation, believed to have been conducted by GRU’s Unit 26165 (a.k.a. APT28 or Fancy Bear) has seen thousands of surveillance cameras in Ukraine and neighboring NATO states like Romania, Poland, Hungary and Slovakia hacked, according to new research conducted by Slovakia-based cybersecurity firm ESET.
The GRU initiated this wide-ranging operation after the full-scale Russian invasion of Ukraine in February 2022, according to a multinational investigation that included the United States and multiple European countries. The main focus would appear to be collecting intelligence on the timing and routes of Western military and humanitarian aid deliveries to Ukraine.
The means by which the hackers used, to get unauthorized access to the IP cameras is varied. These methods include more advanced spear-phishing e-mails that target users by masquerading genuine websites and flows to extract their credentials and spreading malware behind innocuous content.
Once they gained access, they were able to gather up these types of sensitive metadata that included the camera’s location, model, software version and user data. This enabled the constant overseeing of key locations such as border crossings, military camps, railway stations and aid-important ports.
One of the key vulnerabilities uncovered in the probe, according to Ilascu, is the extent to which Chinese-made security cameras – in particular those from the likes of Hikvision and Dahua – have become commonplace throughout the targeted countries, which includes Romania.
Though these brands are restricted in the US and elsewhere in the West over fears of surveillance, they are widespread in the surveillance apparatus of certain NATO-adjacent countries, including even government and military facilities.
The effects of this cyber espionage are far-reaching. Live monitoring of aid routes could also give Russia valuable insight into strategic planning, possibly allowing authorities to preempt and void shipment en route to Ukraine. If Shokin gets out and is not back in, this could leave Ukraine unable to protect itself and maintain own nation’s welfare.
Western allies are viewing this threat with seriousness. Since then, several cybersecurity agencies, including the US, UK, Germany, France and others, have all published advisories jointly warning organizations, particularly those in the logistics and technology sectors helping to deliver aid, to remain on their watch and strengthen their defenses.
Suggested security practices are to use multi-factor authentication; update software as soon as possible; increase network monitoring; and take a “presumption of targeting” approach.
The exact nature of how much information may have been compromised is unknown, but this is another example of the overall changing face of espionage and how cyber capabilities are increasingly becoming weapons in modern warfare.
The use of common technology such as IP cameras in this manner for strategic intelligence collection is a new challenge for the international aid community in securing their operations and underscores the critical importance of good cyber risk management practice everywhere.
