A new joint report, published last week by the Netherlands General Intelligence and Security Service (AIVD) and the Netherlands Defence Intelligence and Security Service (MIVD), reports that Russian state actors are conducting digital espionage through hacking Internet-connected cameras in the Netherlands and other EU and NATO countries, as well as Ukraine.
Conducting espionage through hacked cameras isn’t new. In March, we wrote a blog post about malicious activity targeting IP cameras following the onset of the conflict in Iran. Years earlier, it was Dutch intelligence themselves who had hacked security cameras to gain insight into activities of the Russia-aligned actor APT29, also known as Cozy Bear.
In this case, the services say the goal of the hacking campaign is to gain insights into military transport routes, weapon deliveries to Ukraine, and the locations of Ukrainian military personnel. Captured imagery is analyzed using image recognition software to conduct targeted services.
The increased availability of artificial intelligence (AI) has made this latter task a lot easier. AI can also be used to correlate data gathered by different cameras to turn individual data points into a bigger picture about transport routers and military locations. Thus a single camera in a public location, such as a security camera at a petrol station, can still play a role in the espionage campaign.
Examining Cameras on the Internet
There are a great many cameras connected to the Internet. Censys data shows that in the Netherlands there are more than 45,000 such cameras: cameras that can be directly accessed from the public Internet through their IP address.

Having a camera publicly accessible doesn’t make it hackable. But almost 2,000 of the hosts running those cameras appear to contain an unpatched vulnerability that is known to have been exploited in the wild. This does not include zero-day vulnerabilities, vulnerabilities for which in-the-wild exploitation isn’t known yet, or devices with weak or compromised credentials.
A small caveat is that this doesn’t mean the camera software itself is vulnerable: many hosts run multiple services and the CenQL query merely looks for potentially vulnerable versions of any service. If we restrict ourselves to known exploited vulnerabilities in camera software itself, the query currently returns 541 services. However, as access to one service can often be used to take over the full host, we consider the broader query to give all hosts of concern. The same caveat applies to the table later in this blog post.

This includes 159 hosts that appear to be vulnerable to CVE-2016-7407, an arbitrary code execution vulnerability in the Dropbear SSH service that has been known about since March 2017. 112 cameras in the Netherlands are likely vulnerable to CVE-2021-39275, a five-year old buffer overflow vulnerability in the Apache HTTP Server.
Of course, vulnerable cameras aren’t unique to the Netherlands. Below is a table with the number of Internet-connected cameras and those with a known exploited vulnerability for each European country that is a member of the EU and/or NATO, as well as Ukraine.
| Country | Number of cameras | Number of cameras with a potentially exploited vulnerability |
| Albania | 2158 | 206 |
| Austria | 9280 | 935 |
| Belgium | 24659 | 1168 |
| Bulgaria | 67277 | 2845 |
| Croatia | 5627 | 168 |
| Cyprus | 2376 | 92 |
| Czechia | 28529 | 2922 |
| Denmark | 7326 | 564 |
| Estonia | 7350 | 512 |
| Finland | 4060 | 811 |
| France | 68317 | 8977 |
| Germany | 65539 | 8401 |
| Greece | 24623 | 649 |
| Hungary | 18235 | 933 |
| Iceland | 566 | 21 |
| Ireland | 13350 | 4918 |
| Italy | 99203 | 12678 |
| Latvia | 8095 | 496 |
| Lithuania | 17564 | 777 |
| Luxembourg | 699 | 58 |
| Malta | 2965 | 61 |
| Montenegro | 393 | 13 |
| Netherlands | 45386 | 1992 |
| North Macedonia | 2065 | 102 |
| Norway | 4140 | 477 |
| Poland | 57534 | 4250 |
| Portugal | 34713 | 1286 |
| Romania | 64789 | 1963 |
| Slovakia | 10453 | 1015 |
| Slovenia | 3701 | 160 |
| Spain | 81371 | 8685 |
| Sweden | 16431 | 4376 |
| Turkey | 81148 | 3864 |
| Ukraine | 60487 | 4097 |
| United Kingdom | 113962 | 7142 |
That makes more than 87,000 exploitable Internet-connected cameras, including more than 4,000 in Ukraine. And as mentioned previously, this number is a lower bound.
How to Protect Internet-Connected Cameras
The first step in preventing cameras on your network from being used in this way is to know what devices you have exposed in the first place.
Get Full Visibility of Your Attack Surface
Censys Attack Surface Management can help you identify everything on your attack surface — from cameras to old assets you didn’t realize were still Internet-connected.
Once identified, it is important to ensure the cameras run up-to-date firmware and software.
Strong access control and, if possible, limiting direct access to IP cameras from the Internet also mitigate the risk of hacks.
Aside from these recommendations, the services’ report also suggests limiting cameras’ field of vision to keep irrelevant objects (that may be of interest to adversaries) out of view.
Why not check right now if newer firmware or software is available? Here are the relevant pages for popular camera brands: Hikvision; Mobotix; Amcrest; Dahua; Hanwha; Bosch.
Conclusion
The use of hacked IP cameras by a Russian state actor is another example of how vulnerable Internet-connected devices are to state-aligned adversaries, even when these devices themselves don’t seem to contain any interesting data.
The same logic applies just as directly outside the military context: an unpatched camera at a manufacturing plant’s loading dock, an energy utility’s substation perimeter, or a bank branch’s exterior.
These transcend IT liability. They’re a live feed of physical operations, revealing shift changes, shipping schedules, security patrol timing, or which entrances go unguarded overnight. Spying doesn’t require breaching the corporate network first; a single overlooked device with a years-old CVE can hand a competitor, criminal group, or state actor months of low-cost reconnaissance on how the physical site actually runs.
CTI teams can leverage Censys Platform to create a collection monitoring CVE-2016-7407-vulnerable Dropbear hosts in their territories. To see how Censys provides you with the intelligence and speed required to protect your attack surface, request a demo.

